Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: DependencyCheck

ApplicationSecurity:DependencyCheck:0.0.1-SNAPSHOT

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

DependencyCPECoordinatesHighest SeverityCVE CountCPE ConfidenceEvidence Count
jconsole.jarsun.jdk:jconsole:1.8 011
artemis-boot-1.3.0.jarorg.apache.activemq:artemis-boot:1.3.0 021
artemis-server-1.3.0.jarorg.apache.activemq:artemis-server:1.3.0 021
artemis-commons-1.3.0.jarorg.apache.activemq:artemis-commons:1.3.0 021
artemis-selector-1.3.0.jarorg.apache.activemq:artemis-selector:1.3.0 021
artemis-journal-1.3.0.jarorg.apache.activemq:artemis-journal:1.3.0 021
netty-all-4.0.32.Final.jarcpe:/a:netty_project:netty:4.0.32io.netty:netty-all:4.0.32.FinalHigh1Highest16
artemis-dto-1.3.0.jarorg.apache.activemq:artemis-dto:1.3.0 021
artemis-cli-1.3.0.jarorg.apache.activemq:artemis-cli:1.3.0 021
artemis-jms-server-1.3.0.jarorg.apache.activemq:artemis-jms-server:1.3.0 021
artemis-service-extensions-1.3.0.jarorg.apache.activemq:artemis-service-extensions:1.3.0 021
geronimo-jms_2.0_spec-1.0-alpha-2.jarorg.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2 027
geronimo-ejb_3.0_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-ejb_3.0_spec:1.0.1 023
geronimo-jta_1.1_spec-1.1.1.jarorg.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1 023
artemis-jms-client-1.3.0.jarorg.apache.activemq:artemis-jms-client:1.3.0 021
javax.inject-1.jarjavax.inject:javax.inject:1 017
artemis-ra-1.3.0.jarorg.apache.activemq:artemis-ra:1.3.0 021
artemis-spring-integration-1.3.0.jarorg.apache.activemq:artemis-spring-integration:1.3.0 021
spring-tx-3.1.4.RELEASE.jarcpe:/a:vmware:springsource_spring_framework:3.1.4
cpe:/a:pivotal:spring_framework:3.1.4
cpe:/a:pivotal_software:spring_framework:3.1.4
cpe:/a:springsource:spring_framework:3.1.4
org.springframework:spring-tx:3.1.4.RELEASEHigh12Highest21
artemis-vertx-integration-1.3.0.jarorg.apache.activemq:artemis-vertx-integration:1.3.0 021
artemis-rest-1.3.0.jarcpe:/a:apache:activemq_artemis:1.3.0org.apache.activemq.rest:artemis-rest:1.3.0High2Highest21
resteasy-jaxrs-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jaxrs:3.0.17.Final 026
jboss-jaxrs-api_2.0_spec-1.0.0.Final.jarorg.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.0.Final 039
jboss-annotations-api_1.2_spec-1.0.0.Final.jarorg.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final 037
activation-1.1.1.jarjavax.activation:activation:1.1.1 021
jcip-annotations-1.0.jarnet.jcip:jcip-annotations:1.0 017
resteasy-jaxb-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jaxb-provider:3.0.17.Final 026
resteasy-jackson-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jackson-provider:3.0.17.Final 026
resteasy-atom-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-atom-provider:3.0.17.Final 026
tjws-3.0.17.Final.jarorg.jboss.resteasy:tjws:3.0.17.Final 026
geronimo-annotation_1.1_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-annotation_1.1_spec:1.0.1 029
artemis-aerogear-integration-1.3.0.jarorg.apache.activemq:artemis-aerogear-integration:1.3.0 021
unifiedpush-java-client-1.0.0.jarorg.jboss.aerogear:unifiedpush-java-client:1.0.0 028
base64-2.3.8.jarnet.iharder:base64:2.3.8 017
artemis-web-1.3.0.jarorg.apache.activemq:artemis-web:1.3.0 021
artemis-core-client-1.3.0.jarorg.apache.activemq:artemis-core-client:1.3.0 021
jgroups-3.6.9.Final.jarorg.jgroups:jgroups:3.6.9.Final 029
artemis-amqp-protocol-1.3.0.jarorg.apache.activemq:artemis-amqp-protocol:1.3.0 028
artemis-proton-plug-1.3.0.jarorg.apache.activemq:artemis-proton-plug:1.3.0 030
proton-j-0.12.2.jarcpe:/a:apache:qpid_proton:0.12.2org.apache.qpid:proton-j:0.12.2Medium1Highest21
artemis-stomp-protocol-1.3.0.jarorg.apache.activemq:artemis-stomp-protocol:1.3.0 028
artemis-openwire-protocol-1.3.0.jarorg.apache.activemq:artemis-openwire-protocol:1.3.0 028
artemis-hornetq-protocol-1.3.0.jarorg.apache.activemq:artemis-hornetq-protocol:1.3.0 028
artemis-hqclient-protocol-1.3.0.jarorg.apache.activemq:artemis-hqclient-protocol:1.3.0 028
artemis-mqtt-protocol-1.3.0.jarorg.apache.activemq:artemis-mqtt-protocol:1.3.0 030
jboss-logging-processor-2.0.0.Alpha2.jarorg.jboss.logging:jboss-logging-processor:2.0.0.Alpha2 027
jboss-logging-annotations-2.0.0.Alpha2.jarorg.jboss.logging:jboss-logging-annotations:2.0.0.Alpha2 027
jdeparser-2.0.0.Final.jarorg.jboss.jdeparser:jdeparser:2.0.0.Final 026
artemis-native-1.3.0.jarorg.apache.activemq:artemis-native:1.3.0 024
artemis-jdbc-store-1.3.0.jarorg.apache.activemq:artemis-jdbc-store:1.3.0 021
artemis-website-1.3.0.jarorg.apache.activemq:artemis-website:1.3.0 021
jboss-logmanager-2.0.3.Final.jarorg.jboss.logmanager:jboss-logmanager:2.0.3.Final 039
airline-0.7.jario.airlift:airline:0.7 020
annotations-2.0.3.jarcom.google.code.findbugs:annotations:2.0.3 020
activemq-client-5.12.0.jarcpe:/a:apache:activemq:5.12.0org.apache.activemq:activemq-client:5.12.0High9Highest23
geronimo-jms_1.1_spec-1.1.1.jarorg.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1 023
hawtbuf-1.11.jarorg.fusesource.hawtbuf:hawtbuf:1.11 027
geronimo-j2ee-management_1.1_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec:1.0.1 023
jetty-all-9.2.11.v20150529.jarcpe:/a:jetty:jetty:9.2.11.v20150529
cpe:/a:eclipse:jetty:9.2.11.v20150529
org.eclipse.jetty.aggregate:jetty-all:9.2.11.v20150529High4Low13
javax.websocket-api-1.0.jarjavax.websocket:javax.websocket-api:1.0 026
tomcat-servlet-api-8.0.23.jarorg.apache.tomcat:tomcat-servlet-api:8.0.23 016
commons-beanutils-1.9.2.jarcpe:/a:apache:commons_beanutils:1.9.2commons-beanutils:commons-beanutils:1.9.2 0Low33
commons-logging-1.2.jarcommons-logging:commons-logging:1.2 033
netty-transport-5.0.0.Alpha2.jarcpe:/a:netty_project:netty:5.0.0io.netty:netty-transport:5.0.0.Alpha2 0Low22
red5-server-1.0.8-RELEASE.jarorg.red5:red5-server:1.0.8-RELEASE 028
slf4j-api-1.7.22.jarcpe:/a:slf4j:slf4j:1.7.22org.slf4j:slf4j-api:1.7.22 0Low28
jcl-over-slf4j-1.7.22.jarcpe:/a:slf4j:slf4j:1.7.22org.slf4j:jcl-over-slf4j:1.7.22 0Low28
jul-to-slf4j-1.7.22.jarcpe:/a:slf4j:slf4j:1.7.22org.slf4j:jul-to-slf4j:1.7.22 0Low27
log4j-over-slf4j-1.7.22.jarcpe:/a:slf4j:slf4j:1.7.22org.slf4j:log4j-over-slf4j:1.7.22 0Low28
logback-core-1.1.7.jarcpe:/a:logback:logback:1.1.7ch.qos.logback:logback-core:1.1.7High1Low27
spring-core-4.3.5.RELEASE.jarcpe:/a:pivotal_software:spring_framework:4.3.5
cpe:/a:pivotal:spring_framework:4.3.5
org.springframework:spring-core:4.3.5.RELEASEHigh8Highest25
red5-server-common-1.0.8-RELEASE.jarorg.red5:red5-server-common:1.0.8-RELEASE 027
mina-core-2.0.16.jarorg.apache.mina:mina-core:2.0.16 024
commons-lang3-3.5.jarorg.apache.commons:commons-lang3:3.5 038
bcprov-jdk15on-1.55.jarcpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.55
cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.55
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.55
org.bouncycastle:bcprov-jdk15on:1.55High13Highest39
red5-io-1.0.8-RELEASE.jarorg.red5:red5-io:1.0.8-RELEASE 027
tika-core-1.14.jarcpe:/a:apache:tika:1.14org.apache.tika:tika-core:1.14High4Highest36
jmatio-1.2.jarorg.tallison:jmatio:1.2 018
apache-mime4j-core-0.7.2.jarcpe:/a:apache:james:0.7.2org.apache.james:apache-mime4j-core:0.7.2 0Low30
pdfbox-tools-2.0.3.jarcpe:/a:apache:pdfbox:2.0.3org.apache.pdfbox:pdfbox-tools:2.0.3 0Low23
jempbox-1.8.12.jarcpe:/a:apache:pdfbox:1.8.12org.apache.pdfbox:jempbox:1.8.12 0Low32
tagsoup-1.2.1.jarorg.ccil.cowan.tagsoup:tagsoup:1.2.1 015
asm-5.0.4.jarorg.ow2.asm:asm:5.0.4 025
metadata-extractor-2.9.1.jarcpe:/a:id:id-software:2.9.1com.drewnoakes:metadata-extractor:2.9.1 0Low18
xmpcore-5.1.2.jarcom.adobe.xmp:xmpcore:5.1.2 027
boilerpipe-1.1.0.jarcpe:/a:html-pages_project:html-pages:1.1.0de.l3s.boilerpipe:boilerpipe:1.1.0 0Low19
rome-1.5.1.jarcom.rometools:rome:1.5.1 023
rome-utils-1.5.1.jarcom.rometools:rome-utils:1.5.1 022
juniversalchardet-1.0.3.jarcom.googlecode.juniversalchardet:juniversalchardet:1.0.3 020
ehcache-core-2.6.11.jarnet.sf.ehcache:ehcache-core:2.6.11 016
isoparser-1.1.17.jarcom.googlecode.mp4parser:isoparser:1.1.17 016
red5-service-1.0.8-RELEASE.jarorg.red5:red5-service:1.0.8-RELEASE 025
commons-daemon-1.0.15.jarcpe:/a:apache:apache_commons_daemon:1.0.15commons-daemon:commons-daemon:1.0.15 0Low33
mina-integration-beans-2.0.16.jarorg.apache.mina:mina-integration-beans:2.0.16 024
quartz-2.2.3.jarorg.quartz-scheduler:quartz:2.2.3 040
nifi-api-1.3.0.jarcpe:/a:apache:nifi:1.3.0org.apache.nifi:nifi-api:1.3.0Medium2Highest19
javax.json-api-1.1.2.jarjavax.json:javax.json-api:1.1.2 030
vdx-core-1.1.6.jarorg.projectodd.vdx:vdx-core:1.1.6 022
vdx-wildfly-1.1.6.jarcpe:/a:wildfly:wildfly:1.1.6org.projectodd.vdx:vdx-wildfly:1.1.6 0Low22
undertow-core-2.0.9.Final.jario.undertow:undertow-core:2.0.9.Final 034
cal10n-api-0.8.1.jarch.qos.cal10n:cal10n-api:0.8.1 021
woodstox-core-5.0.3.jarcom.fasterxml.woodstox:woodstox-core:5.0.3 040
javax.json-1.1.2.jarorg.glassfish:javax.json:1.1.2 031
stax2-api-3.1.4.jarorg.codehaus.woodstox:stax2-api:3.1.4 026
jandex-2.0.5.Final.jarorg.jboss:jandex:2.0.5.Final 035
jboss-dmr-1.5.0.Final.jarorg.jboss:jboss-dmr:1.5.0.Final 028
staxmapper-1.3.0.Final.jarorg.jboss:staxmapper:1.3.0.Final 026
jboss-interceptors-api_1.2_spec-1.0.1.Final.jarorg.jboss.spec.javax.interceptor:jboss-interceptors-api_1.2_spec:1.0.1.Final 039
jboss-jacc-api_1.5_spec-1.0.2.Final.jarorg.jboss.spec.javax.security.jacc:jboss-jacc-api_1.5_spec:1.0.2.Final 039
jboss-classfilewriter-1.2.2.Final.jarorg.jboss.classfilewriter:jboss-classfilewriter:1.2.2.Final 039
jboss-vfs-3.2.12.Final.jarorg.jboss:jboss-vfs:3.2.12.Final 034
aesh-readline-1.7.jarorg.aesh:aesh-readline:1.7 020
aesh-extensions-1.3.jarorg.aesh:aesh-extensions:1.3 028
aesh-1.4.jarorg.aesh:aesh:1.4 028
jboss-invocation-1.5.1.Final.jarorg.jboss.invocation:jboss-invocation:1.5.1.Final 028
jboss-logging-3.3.1.Final.jarorg.jboss.logging:jboss-logging:3.3.1.Final 039
jul-to-slf4j-stub-1.0.1.Final.jarcpe:/a:slf4j:slf4j:1.0.1org.jboss.logging:jul-to-slf4j-stub:1.0.1.Final 0Low26
commons-logging-jboss-logging-1.0.0.Final.jarorg.jboss.logging:commons-logging-jboss-logging:1.0.0.Final 030
log4j-jboss-logmanager-1.1.4.Final.jarorg.jboss.logmanager:log4j-jboss-logmanager:1.1.4.Final 026
jboss-marshalling-2.0.5.Final.jarorg.jboss.marshalling:jboss-marshalling:2.0.5.Final 028
jboss-marshalling-river-2.0.5.Final.jarorg.jboss.marshalling:jboss-marshalling-river:2.0.5.Final 028
jboss-modules-1.8.5.Final.jarorg.jboss.modules:jboss-modules:1.8.5.Final 028
jboss-msc-1.4.2.Final.jarorg.jboss.msc:jboss-msc:1.4.2.Final 028
jboss-remoting-5.0.7.Final.jarorg.jboss.remoting:jboss-remoting:5.0.7.Final 034
remoting-jmx-3.0.0.Final.jarorg.jboss.remotingjmx:remoting-jmx:3.0.0.Final 028
slf4j-jboss-logmanager-1.0.3.GA.jarcpe:/a:slf4j:slf4j:1.0.3org.jboss.slf4j:slf4j-jboss-logmanager:1.0.3.GA 0Low28
jboss-stdio-1.0.2.GA.jarorg.jboss.stdio:jboss-stdio:1.0.2.GA 028
jboss-threads-2.3.2.Final.jarorg.jboss.threads:jboss-threads:2.3.2.Final 026
xnio-api-3.6.3.Final.jarorg.jboss.xnio:xnio-api:3.6.3.Final 041
xnio-nio-3.6.3.Final.jarorg.jboss.xnio:xnio-nio:3.6.3.Final 041
jansi-1.16.jarorg.fusesource.jansi:jansi:1.16 025
wildfly-common-1.4.0.Final.jarcpe:/a:wildfly:wildfly:1.4.0org.wildfly.common:wildfly-common:1.4.0.Final 0Low33
wildfly-openssl-java-1.0.6.Final.jarcpe:/a:wildfly:wildfly:1.0.6
cpe:/a:openssl_project:openssl:1.0.6
cpe:/a:openssl:openssl:1.0.6
org.wildfly.openssl:wildfly-openssl-java:1.0.6.FinalHigh8Low24
wildfly-core-security-5.0.0.Final.jarcpe:/a:wildfly:wildfly:5.0.0org.wildfly.core:wildfly-core-security:5.0.0.Final 0Low26
wildfly-elytron-1.3.3.Final.jarcpe:/a:wildfly:wildfly:1.3.3org.wildfly.security:wildfly-elytron:1.3.3.Final 0Low28
wildfly-elytron-tool-1.2.2.Final.jarcpe:/a:wildfly:wildfly:1.2.2org.wildfly.security:wildfly-elytron-tool:1.2.2.Final 0Low20
undertow-server-1.1.0.Final.jarcpe:/a:wildfly:wildfly:1.1.0org.wildfly.security.elytron-web:undertow-server:1.1.0.Final 0Low28
wildfly-client-config-1.0.0.Final.jarcpe:/a:wildfly:wildfly:1.0.0org.wildfly.client:wildfly-client-config:1.0.0.Final 0Low37
wildfly-discovery-client-1.1.1.Final.jarcpe:/a:wildfly:wildfly:1.1.1org.wildfly.discovery:wildfly-discovery-client:1.1.1.Final 0Low24
xercesImpl-2.11.0.SP5.jarcpe:/a:apache:xerces2_java:2.11.0.sp5xerces:xercesImpl:2.11.0.SP5 0Low63
xml-resolver-1.2.jarxml-resolver:xml-resolver:1.2 020
kafka_2.12-1.0.0.jarcpe:/a:apache:kafka:1.0.0org.apache.kafka:kafka_2.12:1.0.0Medium1Highest13
lz4-java-1.4.jarorg.lz4:lz4-java:1.4 026
snappy-java-1.1.4.jarorg.xerial.snappy:snappy-java:1.1.4 024
jackson-databind-2.9.1.jarcpe:/a:fasterxml:jackson-databind:2.9.1
cpe:/a:fasterxml:jackson:2.9.1
com.fasterxml.jackson.core:jackson-databind:2.9.1High3Highest38
jackson-annotations-2.9.0.jarcpe:/a:fasterxml:jackson:2.9.0com.fasterxml.jackson.core:jackson-annotations:2.9.0 0Low36
jackson-core-2.9.1.jarcpe:/a:fasterxml:jackson:2.9.1com.fasterxml.jackson.core:jackson-core:2.9.1 0Low38
jopt-simple-5.0.4.jarnet.sf.jopt-simple:jopt-simple:5.0.4 019
metrics-core-2.2.0.jarcom.yammer.metrics:metrics-core:2.2.0 018
scala-library-2.12.3.jarcpe:/a:scala-lang:scala:2.12.3org.scala-lang:scala-library:2.12.3High1Highest26
slf4j-log4j12-1.7.25.jarcpe:/a:slf4j:slf4j:1.7.25org.slf4j:slf4j-log4j12:1.7.25 0Low28
zkclient-0.10.jarcom.101tec:zkclient:0.10 020
zookeeper-3.4.10.jarcpe:/a:apache:zookeeper:3.4.10org.apache.zookeeper:zookeeper:3.4.10Medium1Low20
orc-core-1.4.3.jarorg.apache.orc:orc-core:1.4.3 025
protobuf-java-2.5.0.jarcpe:/a:google:protobuf:2.5.0com.google.protobuf:protobuf-java:2.5.0Medium1Highest26
commons-lang-2.6.jarcommons-lang:commons-lang:2.6 031
aircompressor-0.8.jario.airlift:aircompressor:0.8 024
hive-storage-api-2.2.1.jarcpe:/a:apache:hive:2.2.1org.apache.hive:hive-storage-api:2.2.1 0Low23
camel-core-2.19.3.jarcpe:/a:apache:camel:2.19.3org.apache.camel:camel-core:2.19.3 0Low32
jaxb-core-2.2.11.jarcom.sun.xml.bind:jaxb-core:2.2.11 025
jaxb-impl-2.2.11.jarcom.sun.xml.bind:jaxb-impl:2.2.11 028
jenkins-core-2.19.jarcpe:/a:jenkins:jenkins:2.19org.jenkins-ci.main:jenkins-core:2.19High54Highest18
icon-set-1.0.5.jarcpe:/a:jenkins:jenkins:1.0.5org.jenkins-ci.plugins.icon-shim:icon-set:1.0.5High107Low22
remoting-2.62.jarcpe:/a:jenkins:jenkins:2.62org.jenkins-ci.main:remoting:2.62High34Highest15
constant-pool-scanner-1.2.jarorg.jenkins-ci:constant-pool-scanner:1.2 018
cli-2.19.jarcpe:/a:jenkins:jenkins:2.19org.jenkins-ci.main:cli:2.19High54Highest20
version-number-1.1.jarcpe:/a:jenkins:jenkins:1.1org.jenkins-ci:version-number:1.1High107Low18
crypto-util-1.1.jarcpe:/a:jenkins:jenkins:1.1org.jenkins-ci:crypto-util:1.1High107Low20
jtidy-4aug2000r7-dev-hudson-1.jarcpe:/a:html-tidy:tidy:-org.jvnet.hudson:jtidy:4aug2000r7-dev-hudson-1 0Low21
guice-4.0-beta.jarcpe:/a:google:guava:11.0.1com.google.inject:guice:4.0-betaMedium1Highest33
aopalliance-1.0.jaraopalliance:aopalliance:1.0 017
jna-posix-1.0.3-jenkins-1.jarcpe:/a:jruby:jruby:1.0.3org.jruby.ext.posix:jna-posix:1.0.3-jenkins-1High3Highest16
jnr-posix-3.0.1.jarcom.github.jnr:jnr-posix:3.0.1 014
jnr-ffi-1.0.7.jarcom.github.jnr:jnr-ffi:1.0.7 020
jffi-1.2.7.jarcom.github.jnr:jffi:1.2.7 018
jffi-1.2.7-native.jarcom.github.jnr:jffi:1.2.7 06
asm-commons-4.0.jarorg.ow2.asm:asm-commons:4.0 018
asm-analysis-4.0.jarorg.ow2.asm:asm-analysis:4.0 018
asm-tree-4.0.jarorg.ow2.asm:asm-tree:4.0 018
asm-util-4.0.jarorg.ow2.asm:asm-util:4.0 018
jnr-x86asm-1.0.2.jarcom.github.jnr:jnr-x86asm:1.0.2 018
jnr-constants-0.8.5.jarcom.github.jnr:jnr-constants:0.8.5 020
trilead-putty-extension-1.2.jarcpe:/a:putty:putty:1.2org.kohsuke:trilead-putty-extension:1.2 0Low22
trilead-ssh2-build217-jenkins-8.jarcpe:/a:jenkins:ssh:-org.jenkins-ci:trilead-ssh2:build217-jenkins-8Medium1Low17
stapler-groovy-1.243.jarorg.kohsuke.stapler:stapler-groovy:1.243 023
stapler-jelly-1.243.jarorg.kohsuke.stapler:stapler-jelly:1.243 022
commons-jelly-1.1-jenkins-20120928.jarcpe:/a:apache:commons-jelly:1.1org.jenkins-ci:commons-jelly:1.1-jenkins-20120928 0Low21
dom4j-1.6.1-jenkins-4.jarcpe:/a:dom4j_project:dom4j:1.6.1org.jenkins-ci.dom4j:dom4j:1.6.1-jenkins-4Medium1Highest21
stapler-jrebel-1.243.jarorg.kohsuke.stapler:stapler-jrebel:1.243 020
stapler-1.243.jarorg.kohsuke.stapler:stapler:1.243 020
javax.annotation-api-1.2.jarjavax.annotation:javax.annotation-api:1.2 035
commons-discovery-0.4.jarcommons-discovery:commons-discovery:0.4 026
tiger-types-2.2.jarorg.jvnet:tiger-types:2.2 014
windows-package-checker-1.2.jarorg.kohsuke:windows-package-checker:1.2 019
stapler-adjunct-zeroclipboard-1.3.5-1.jarcpe:/a:zeroclipboard_project:zeroclipboard:1.3.5.1org.kohsuke.stapler:stapler-adjunct-zeroclipboard:1.3.5-1 0Low17
stapler-adjunct-timeline-1.4.jarorg.kohsuke.stapler:stapler-adjunct-timeline:1.4 017
stapler-adjunct-codemirror-1.3.jarorg.kohsuke.stapler:stapler-adjunct-codemirror:1.3 011
bridge-method-annotation-1.13.jarcom.infradna.tool:bridge-method-annotation:1.13 020
json-lib-2.4-jenkins-2.jarorg.kohsuke.stapler:json-lib:2.4-jenkins-2 025
ezmorph-1.0.6.jarnet.sf.ezmorph:ezmorph:1.0.6 019
commons-httpclient-3.1.jarcpe:/a:apache:httpclient:3.1
cpe:/a:apache:commons-httpclient:3.1
commons-httpclient:commons-httpclient:3.1 0Low21
args4j-2.0.31.jarargs4j:args4j:2.0.31 021
annotation-indexer-1.11.jarorg.jenkins-ci:annotation-indexer:1.11 022
bytecode-compatibility-transformer-1.8.jarcpe:/a:jenkins:jenkins:1.8org.jenkins-ci:bytecode-compatibility-transformer:1.8High107Low18
asm5-5.0.1.jarorg.kohsuke:asm5:5.0.1 018
task-reactor-1.4.jarcpe:/a:jenkins:jenkins:1.4org.jenkins-ci:task-reactor:1.4High107Low20
localizer-1.23.jarorg.jvnet.localizer:localizer:1.23 018
antlr-2.7.6.jarantlr:antlr:2.7.6 013
xstream-1.4.7-jenkins-1.jarcpe:/a:xstream_project:xstream:1.4.7org.jvnet.hudson:xstream:1.4.7-jenkins-1Medium2Low35
jfreechart-1.0.9.jarjfree:jfreechart:1.0.9 021
jcommon-1.0.12.jarjfree:jcommon:1.0.12 021
ant-1.8.4.jarorg.apache.ant:ant:1.8.4 018
ant-launcher-1.8.4.jarorg.apache.ant:ant-launcher:1.8.4 021
commons-io-2.4.jarcommons-io:commons-io:2.4 033
commons-digester-2.1.jarcommons-digester:commons-digester:2.1 031
commons-compress-1.10.jarcpe:/a:apache:commons-compress:1.10org.apache.commons:commons-compress:1.10 0Low38
mail-1.4.4.jarcpe:/a:sun:javamail:1.4.4javax.mail:mail:1.4.4 0Low35
activation-1.1.1-hudson-1.jarorg.jvnet.hudson:activation:1.1.1-hudson-1 017
jaxen-1.1-beta-11.jarjaxen:jaxen:1.1-beta-11 024
commons-jelly-tags-fmt-1.0.jarcpe:/a:apache:commons-jelly:1.0.1.rc6commons-jelly:commons-jelly-tags-fmt:1.0High1Low15
commons-jelly-tags-xml-1.1.jarcpe:/a:apache:commons-jelly:1.1commons-jelly:commons-jelly-tags-xml:1.1 0Low25
commons-jelly-tags-define-1.0.1-hudson-20071021.jarcpe:/a:apache:commons-jelly:1.0.1.rc6org.jvnet.hudson:commons-jelly-tags-define:1.0.1-hudson-20071021High1Low20
commons-jexl-1.1-jenkins-20111212.jarorg.jenkins-ci:commons-jexl:1.1-jenkins-20111212 024
acegi-security-1.0.7.jarcpe:/a:acegisecurity:acegi-security:1.0.7org.acegisecurity:acegi-security:1.0.7Medium1Highest16
spring-dao-1.2.9.jarcpe:/a:pivotal_software:spring_framework:1.2.9
cpe:/a:springsource:spring_framework:1.2.9
cpe:/a:pivotal:spring_framework:1.2.9
cpe:/a:vmware:springsource_spring_framework:1.2.9
org.springframework:spring-dao:1.2.9High10Low25
oro-2.0.8.jaroro:oro:2.0.8 011
groovy-all-2.4.7.jarcpe:/a:apache:groovy:2.4.7org.codehaus.groovy:groovy-all:2.4.7 0Low33
jline-2.12.jarjline:jline:2.12 013
spring-aop-2.5.6.SEC03.jarcpe:/a:pivotal_software:spring_framework:2.5.6.sec03
cpe:/a:springsource:spring_framework:2.5.6.sec03
cpe:/a:pivotal:spring_framework:2.5.6.sec03
cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03
org.springframework:spring-aop:2.5.6.SEC03High10Low28
xpp3-1.1.4c.jarxpp3:xpp3:1.1.4c 023
jstl-1.1.0.jarjavax.servlet:jstl:1.1.0 015
txw2-20110809.jarcom.sun.xml.txw2:txw2:20110809 022
stax-api-1.0-2.jarjavax.xml.stream:stax-api:1.0-2 017
relaxngDatatype-20020414.jarrelaxngDatatype:relaxngDatatype:20020414 010
commons-collections-3.2.1.jarcpe:/a:apache:commons_collections:3.2.1commons-collections:commons-collections:3.2.1High2Highest31
winp-1.22.jarorg.jvnet.winp:winp:1.22 020
memory-monitor-1.9.jarcpe:/a:jenkins:jenkins:1.9org.jenkins-ci:memory-monitor:1.9High107Low20
wstx-asl-3.2.9.jarorg.codehaus.woodstox:wstx-asl:3.2.9 024
stax-api-1.0.1.jarstax:stax-api:1.0.1 019
jmdns-3.4.0-jenkins-3.jarorg.jenkins-ci:jmdns:3.4.0-jenkins-3 019
jna-4.2.1.jarnet.java.dev.jna:jna:4.2.1 027
akuma-1.10.jarorg.kohsuke:akuma:1.10 019
libpam4j-1.8.jarcpe:/a:libpam4j_project:libpam4j:1.8org.kohsuke:libpam4j:1.8Medium1Highest20
libzfs-0.5.jarorg.jvnet.libzfs:libzfs:0.5 021
embedded_su4j-1.1.jarcom.sun.solaris:embedded_su4j:1.1 015
sezpoz-1.11.jarnet.java.sezpoz:sezpoz:1.11 017
j-interop-2.0.6-kohsuke-1.jarorg.kohsuke.jinterop:j-interop:2.0.6-kohsuke-1 019
j-interopdeps-2.0.6-kohsuke-1.jarorg.kohsuke.jinterop:j-interopdeps:2.0.6-kohsuke-1 017
jcifs-1.2.19.jarorg.samba.jcifs:jcifs:1.2.19 016
robust-http-client-1.2.jarorg.jvnet.robust-http-client:robust-http-client:1.2 019
symbol-annotation-1.1.jarcpe:/a:jenkins:jenkins:1.1org.jenkins-ci:symbol-annotation:1.1High107Low17
commons-codec-1.8.jarcommons-codec:commons-codec:1.8 033
access-modifier-annotation-1.4.jarorg.kohsuke:access-modifier-annotation:1.4 018
commons-fileupload-1.3.1-jenkins-1.jarcpe:/a:apache:commons_fileupload:1.3.1commons-fileupload:commons-fileupload:1.3.1-jenkins-1High2Highest32
jbcrypt-0.3m.jarcpe:/a:mindrot:jbcrypt:0.3morg.mindrot:jbcrypt:0.3m 0Low23
guava-11.0.1.jarcpe:/a:google:guava:11.0.1com.google.guava:guava:11.0.1Medium1Highest22
jzlib-1.1.3-kohsuke-1.jarcpe:/a:jcraft:jzlib:1.1.3com.jcraft:jzlib:1.1.3-kohsuke-1 0Low23
commons-cli-1.2.jarcommons-cli:commons-cli:1.2 031
commons-math3-3.1.1.jarorg.apache.commons:commons-math3:3.1.1 034
xmlenc-0.52.jarxmlenc:xmlenc:0.52 017
httpclient-4.5.2.jarcpe:/a:apache:httpclient:4.5.2org.apache.httpcomponents:httpclient:4.5.2 0Low29
httpcore-4.4.4.jarorg.apache.httpcomponents:httpcore:4.4.4 031
commons-net-3.1.jarcommons-net:commons-net:3.1 033
servlet-api-2.5.jarjavax.servlet:servlet-api:2.5 015
jetty-6.1.26.jarcpe:/a:mortbay_jetty:jetty:6.1.26
cpe:/a:mortbay:jetty:6.1.26
cpe:/a:jetty:jetty:6.1.26
org.mortbay.jetty:jetty:6.1.26Medium1Low30
jsp-api-2.1.jarjavax.servlet.jsp:jsp-api:2.1 015
jersey-core-1.19.jarcom.sun.jersey:jersey-core:1.19 026
jsr311-api-1.1.1.jarjavax.ws.rs:jsr311-api:1.1.1 025
jersey-servlet-1.19.jarcom.sun.jersey:jersey-servlet:1.19 026
jersey-json-1.19.jarcom.sun.jersey:jersey-json:1.19 026
jettison-1.1.jarorg.codehaus.jettison:jettison:1.1 020
jackson-xc-1.9.2.jarcpe:/a:fasterxml:jackson:1.9.2org.codehaus.jackson:jackson-xc:1.9.2 0Low27
jersey-server-1.19.jarcom.sun.jersey:jersey-server:1.19 026
log4j-1.2.17.jarcpe:/a:apache:log4j:1.2.17log4j:log4j:1.2.17 0Low27
jets3t-0.9.0.jarnet.java.dev.jets3t:jets3t:0.9.0 017
java-xmlbuilder-0.4.jarcom.jamesmurty.utils:java-xmlbuilder:0.4 020
commons-configuration-1.6.jarcommons-configuration:commons-configuration:1.6 031
commons-beanutils-core-1.8.0.jarcpe:/a:apache:commons_beanutils:1.8.0commons-beanutils:commons-beanutils-core:1.8.0High1Low22
jackson-core-asl-1.9.13.jarcpe:/a:fasterxml:jackson:1.9.13org.codehaus.jackson:jackson-core-asl:1.9.13 0Low29
avro-1.7.4.jarorg.apache.avro:avro:1.7.4 025
paranamer-2.3.jarcom.thoughtworks.paranamer:paranamer:2.3 018
re2j-1.0.jarcom.google.re2j:re2j:1.0 016
gson-2.2.4.jarcom.google.code.gson:gson:2.2.4 028
hadoop-auth-3.0.0-alpha1.jarcpe:/a:apache:hadoop:3.0.0:alpha1org.apache.hadoop:hadoop-auth:3.0.0-alpha1High3Highest24
nimbus-jose-jwt-3.9.jarcpe:/a:connect2id:nimbus_jose%2bjwt:3.9com.nimbusds:nimbus-jose-jwt:3.9Medium3Highest40
json-smart-1.1.1.jarnet.minidev:json-smart:1.1.1 019
curator-framework-2.7.1.jarcpe:/a:apache:zookeeper:2.7.1org.apache.curator:curator-framework:2.7.1Medium2Low24
jsch-0.1.51.jarcpe:/a:jcraft:jsch:0.1.51com.jcraft:jsch:0.1.51Medium1Low22
curator-client-2.7.1.jarorg.apache.curator:curator-client:2.7.1 024
curator-recipes-2.7.1.jarorg.apache.curator:curator-recipes:2.7.1 024
jsr305-3.0.0.jarcom.google.code.findbugs:jsr305:3.0.0 018
htrace-core4-4.0.1-incubating.jarcpe:/a:fasterxml:jackson:4.0.1org.apache.htrace:htrace-core4:4.0.1-incubating 0Low18
kerb-simplekdc-1.0.0-RC2.jarorg.apache.kerby:kerb-simplekdc:1.0.0-RC2 023
kerby-config-1.0.0-RC2.jarorg.apache.kerby:kerby-config:1.0.0-RC2 023
kerb-core-1.0.0-RC2.jarorg.apache.kerby:kerb-core:1.0.0-RC2 023
kerby-asn1-1.0.0-RC2.jarorg.apache.kerby:kerby-asn1:1.0.0-RC2 023
kerby-pkix-1.0.0-RC2.jarorg.apache.kerby:kerby-pkix:1.0.0-RC2 023
kerby-util-1.0.0-RC2.jarorg.apache.kerby:kerby-util:1.0.0-RC2 023
kerb-client-1.0.0-RC2.jarorg.apache.kerby:kerb-client:1.0.0-RC2 023
kerb-common-1.0.0-RC2.jarorg.apache.kerby:kerb-common:1.0.0-RC2 023
kerb-util-1.0.0-RC2.jarorg.apache.kerby:kerb-util:1.0.0-RC2 023
kerb-crypto-1.0.0-RC2.jarorg.apache.kerby:kerb-crypto:1.0.0-RC2 023
kerb-server-1.0.0-RC2.jarorg.apache.kerby:kerb-server:1.0.0-RC2 023
kerb-identity-1.0.0-RC2.jarorg.apache.kerby:kerb-identity:1.0.0-RC2 023
kerb-admin-1.0.0-RC2.jarorg.apache.kerby:kerb-admin:1.0.0-RC2 023
javax.servlet-api-3.1.0.jarjavax.servlet:javax.servlet-api:3.1.0 033
jetty-http-9.4.6.v20180619.jarcpe:/a:jetty:jetty:9.4.6.v20180619
cpe:/a:eclipse:jetty:9.4.6
org.eclipse.jetty:jetty-http:9.4.6.v20180619High6Low38
jetty-io-9.4.6.v20180619.jarorg.eclipse.jetty:jetty-io:9.4.6.v20180619 036
plexus-archiver-3.5.jarcpe:/a:archiver_project:archiver:3.5org.codehaus.plexus:plexus-archiver:3.5 0Low20
plexus-utils-3.0.24.jarorg.codehaus.plexus:plexus-utils:3.0.24 022
plexus-io-3.0.0.jarorg.codehaus.plexus:plexus-io:3.0.0 021
snappy-0.4.jarorg.iq80.snappy:snappy:0.4 018
xz-1.6.jarcpe:/a:tukaani:xz:1.6org.tukaani:xz:1.6Medium1Low24
artemis-cli-1.3.0.jar: artemis-service.exe 05
jolokia-war-1.3.3.war: jolokia-core-1.3.3.jarcpe:/a:jolokia:jolokia:1.3.3org.jolokia:jolokia-core:1.3.3 0Low19
jolokia-war-1.3.3.war: json-simple-1.1.1.jarcom.googlecode.json-simple:json-simple:1.1.1 019
ehcache-core-2.6.11.jar: sizeof-agent.jarnet.sf.ehcache:sizeof-agent:1.0.1 026
jansi-1.16.jar: jansi.dll 02
jansi-1.16.jar: jansi.dll 02
wildfly-openssl-windows-i386-1.0.6.Final.jar: wfssl.dll 02
wildfly-openssl-windows-x86_64-1.0.6.Final.jar: wfssl.dll 02
snappy-java-1.1.4.jar: snappyjava.dll 02
snappy-java-1.1.4.jar: snappyjava.dll 02
jffi-1.2.7-native.jar: jffi-1.2.dll 04
jffi-1.2.7-native.jar: jffi-1.2.dll 04
jline-2.12.jar: jansi.dll 02
jline-2.12.jar: jansi.dll 02
winp-1.22.jar: winp.dll 02
winp-1.22.jar: winp.x64.dll 04
jenkins-core-2.19.jar: jenkins.execpe:/a:cloudbees:jenkins:1.1.0.0
cpe:/a:jenkins:jenkins:1.1.0.0
High111Low5
jna-4.2.1.jar: jnidispatch.dll 02
jna-4.2.1.jar: jnidispatch.dll 02
jna-4.2.1.jar: jnidispatch.dll 02
jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.websocket:websocket-api:9.2.11.v20150529)org.eclipse.jetty.websocket:websocket-api:9.2.11.v20150529 011
jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.spdy:spdy-core:9.2.11.v20150529)cpe:/a:jetty:jetty:9.2.11.v20150529
cpe:/a:eclipse:jetty:9.2.11.v20150529
org.eclipse.jetty.spdy:spdy-core:9.2.11.v20150529High4Low11
jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.spdy:spdy-http-server:9.2.11.v20150529)cpe:/a:jetty:jetty_http_server:9.2.11.v20150529org.eclipse.jetty.spdy:spdy-http-server:9.2.11.v20150529 0Low11
jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty:jetty-io:9.2.11.v20150529)org.eclipse.jetty:jetty-io:9.2.11.v20150529 013
aesh-readline-1.7.jar (shaded: org.aesh:aesh-terminal-api:1.7)org.aesh:aesh-terminal-api:1.7 013
jansi-1.16.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.15)org.fusesource.hawtjni:hawtjni-runtime:1.15 013
jansi-1.16.jar (shaded: org.fusesource.jansi:jansi-${platform}:1.7)cpe:/a:id:id-software:1.7org.fusesource.jansi:jansi-${platform}:1.7 0Low16
jansi-1.16.jar (shaded: org.fusesource.jansi:jansi:1.16)cpe:/a:id:id-software:1.16org.fusesource.jansi:jansi:1.16 0Low13
wildfly-elytron-tool-1.2.2.Final.jar (shaded: commons-cli:commons-cli:1.3.1)commons-cli:commons-cli:1.3.1 016
jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)com.sun.istack:istack-commons-runtime:2.21 011
jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-core:2.2.11)org.glassfish.jaxb:jaxb-core:2.2.11 013
jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)org.glassfish.jaxb:txw2:2.2.11 013
jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)org.glassfish.jaxb:jaxb-runtime:2.2.11 013
camel-core-2.19.3.jar (shaded: org.apache.camel:spi-annotations:2.19.3)cpe:/a:apache:camel:2.19.3org.apache.camel:spi-annotations:2.19.3 0Low13
htrace-core4-4.0.1-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)commons-logging:commons-logging:1.1.1 016

Dependencies

jconsole.jar

File Path: C:\Program Files\Java\jdk1.8.0_191\lib\jconsole.jar
MD5: c379152782c24e613de7ecc34e73ebfe
SHA1: be59c4d23e74fdd31ece8acfe491a16ccdc220fb
SHA256:bb9a1db1f80180946c1a6f73ceeb11a2e7386620c76f7cb8ad48d1b82c7d73ea
Referenced In Project/Scope:DependencyCheck:system

Identifiers

  • maven: sun.jdk:jconsole:1.8  Confidence:Highest

artemis-boot-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-boot\1.3.0\artemis-boot-1.3.0.jar
MD5: 48d1a2c59f66e1b02aaafd0b3e22eff9
SHA1: fdb11f7c3b8776d313a9a14df7c009b51961d35c
SHA256:ace47714f38761f7903d6918dd321a8a726dfb5b79b1e086dbf19b839269e248
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-boot:1.3.0  Confidence:Highest

artemis-server-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-server\1.3.0\artemis-server-1.3.0.jar
MD5: 19cef7563a1aaac0443a7f9e001a2ee2
SHA1: c3e7d8977ba743b9835748324e2fceb0964c495d
SHA256:98671459428d719fb130981355e2363adf2f61a7e7c13dcd0b491e7aab8cb03d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-server:1.3.0  Confidence:Highest

artemis-commons-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-commons\1.3.0\artemis-commons-1.3.0.jar
MD5: 6270b2a952ef050ec74bb2b1eaf23a0d
SHA1: 268f4cc7ad4530ceffd0551bc3de1a2b0ea267b9
SHA256:5051b9b3829de7e835fee11a39b7033c345bec271cdc16252da866f9cc93f445
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-commons:1.3.0  Confidence:Highest

artemis-selector-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-selector\1.3.0\artemis-selector-1.3.0.jar
MD5: a3711ffefc99d2ef1a65004fa5350763
SHA1: 7b899bc9e654d981addd76d0ea157a1f22468ca4
SHA256:f8ab2edc7ba76b8f5fbd86c0c2bae7bbeeb56177e325f8b5434af1a161ffd639
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-selector:1.3.0  Confidence:Highest

artemis-journal-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-journal\1.3.0\artemis-journal-1.3.0.jar
MD5: 535c6f615649cdd809aaaf67b4421b37
SHA1: a14df47168552d9e58055a2a9a41850987155bb1
SHA256:d2f0276392e69ef48960eaebaec0e92dfffcb17d5ce334befaf4386d41a9f7a9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-journal:1.3.0  Confidence:Highest

netty-all-4.0.32.Final.jar

File Path: C:\Users\Queue\.m2\repository\io\netty\netty-all\4.0.32.Final\netty-all-4.0.32.Final.jar
MD5: 6bfb909843e9d673f304746e6a8d4731
SHA1: e8872b84e976530d8041718a71a98cd5805adf16
SHA256:6124ec6410d3f6be67bb3922c9defd0fcff5979e28d1457553d7a5428e5ab88b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2016-4970  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Vulnerable Software & Versions: (show all)

artemis-dto-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-dto\1.3.0\artemis-dto-1.3.0.jar
MD5: 2a2f03b9219ed2ee3dde4718a36fd5f2
SHA1: 83c80ddbdf9d240475284cb3b07a215aa0dac335
SHA256:fa55c478004c1d5a96212507eb25f9656f44b63f6274a0beea007812dac5ab05
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-dto:1.3.0  Confidence:Highest

artemis-cli-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-cli\1.3.0\artemis-cli-1.3.0.jar
MD5: 027e952082d1caf8c049767c285b9986
SHA1: 8c550120f0f507ee5d8d22546a41b3d7001510d8
SHA256:1f6482a1170ce43867cb2f452293b3802ad60b3c66b90b095a492b3e3cd2247a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-cli:1.3.0  Confidence:Highest

artemis-jms-server-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jms-server\1.3.0\artemis-jms-server-1.3.0.jar
MD5: fc840f24247f4ba6efa6f2e0582d2828
SHA1: d48cfa48f92bb90eb5034adf0f19b0c6e61c9362
SHA256:967c10695fa23da622a60af6638a4ff7c7d5a0775a61c01cc96d4b11eaffefcd
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jms-server:1.3.0  Confidence:Highest

artemis-service-extensions-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-service-extensions\1.3.0\artemis-service-extensions-1.3.0.jar
MD5: 92fceac20d3d0762147e5caf8f1f30cb
SHA1: 531232eddef62bfd5e1e7a011a1be7fec1559800
SHA256:d96ba8d82a03c9e58358e61dc926d0fb0d9df2e2e5e55bf9ad61661415369d6a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-service-extensions:1.3.0  Confidence:Highest

geronimo-jms_2.0_spec-1.0-alpha-2.jar

Description:

 Java Message Service 2.0 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jms_2.0_spec\1.0-alpha-2\geronimo-jms_2.0_spec-1.0-alpha-2.jar
MD5: bd94cfcc9f711642d280681330b14844
SHA1: 8d8a4d5a80138ba4ebc7b5509989e3d7013c7e74
SHA256:62a109edef3de718b0cb600bf040b4be5e32c683a57ee16f9f8a89537bf5da51
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2  Confidence:Highest

geronimo-ejb_3.0_spec-1.0.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-ejb_3.0_spec\1.0.1\geronimo-ejb_3.0_spec-1.0.1.jar
MD5: 68fcefd6e5603d976fc885f5152a007b
SHA1: d79076ee74c2349840a019c8d3af0b70a7d4a424
SHA256:01149629423968bac94bc2ca71e90cdf45456e5846d77a8fd67f4b86bac2e78d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-ejb_3.0_spec:1.0.1  Confidence:Highest

geronimo-jta_1.1_spec-1.1.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jta_1.1_spec\1.1.1\geronimo-jta_1.1_spec-1.1.1.jar
MD5: 4aa8d50456bcec0bf6f032ceb182ad64
SHA1: aabab3165b8ea936b9360abbf448459c0d04a5a4
SHA256:3a0c3c1bbc2efe8383969574922791959670ef547d6c897496915617025c3023
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1  Confidence:Highest

artemis-jms-client-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jms-client\1.3.0\artemis-jms-client-1.3.0.jar
MD5: 3ab61650132c627216842e656c2d4507
SHA1: 2ff168068e1f24abf8cedf54aaa0fd8d291b625d
SHA256:993965f9366b9d4942d6bd907c8983605838b3ac6c323890f1d12f63585f2934
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jms-client:1.3.0  Confidence:Highest

javax.inject-1.jar

Description:

 The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\javax\inject\javax.inject\1\javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.inject:javax.inject:1  Confidence:Highest

artemis-ra-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-ra\1.3.0\artemis-ra-1.3.0.jar
MD5: 03479fd963fb2ffc13ae8185342c357c
SHA1: 84c8cd9586e091bca306a93e161daf80b0180f4d
SHA256:e08c519f406619f32825dba244a57a9b60bc2684ed8df632faddd46f3bdc1377
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-ra:1.3.0  Confidence:Highest

artemis-spring-integration-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-spring-integration\1.3.0\artemis-spring-integration-1.3.0.jar
MD5: e50423aa1968913312825af836320824
SHA1: dabd9e5d8601597db17e6577f5ca13db82895e46
SHA256:3123f4ce10b00a55cbb16bb6ea13d6c2cf1fa4f46b8bc356b226948e0d9a9737
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-spring-integration:1.3.0  Confidence:Highest

spring-tx-3.1.4.RELEASE.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-tx\3.1.4.RELEASE\spring-tx-3.1.4.RELEASE.jar
MD5: 07f5b208a5f1cf8e4a938af275ee2bfb
SHA1: e7cd40e53940e26f24f5500a084b45f57fabaa01
SHA256:a6fe4041956a377e8eeedb54ddb6984f397af0bc765d57285d73ff4427a18f28
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-0225  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2014-3578  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Vulnerable Software & Versions: (show all)

CVE-2014-3625  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

artemis-vertx-integration-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-vertx-integration\1.3.0\artemis-vertx-integration-1.3.0.jar
MD5: a25c0cf8375ce082de5b54bbb93da866
SHA1: 175593bedd303b91e671e9523cb1b24c6426dd57
SHA256:b9da0849f9ae55a159397f49feb6af885020a45839b20e8c610c946cef213160
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-vertx-integration:1.3.0  Confidence:Highest

artemis-rest-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\rest\artemis-rest\1.3.0\artemis-rest-1.3.0.jar
MD5: d748675cc94c48d030863bbf50b61044
SHA1: 09c40934455a9f3a2a900ac294215b2240e75939
SHA256:a0f205fc661c78b6275bcc3375d14c9cfacec181e99eb003d2a35d5948082417
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2015-3208  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.

Vulnerable Software & Versions:

CVE-2016-4978  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

Vulnerable Software & Versions: (show all)

resteasy-jaxrs-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jaxrs\3.0.17.Final\resteasy-jaxrs-3.0.17.Final.jar
MD5: 78a9d13d5d006eb1df141bbc4d3428b6
SHA1: cddcf44126949f1da1675ef85ee4bcaecde5e524
SHA256:2c93d54090cf7eb8defed123ed7f6a3b55e88a45826eb5ee7e541609ff4de033
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxrs:3.0.17.Final  Confidence:Highest

jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar

Description:

 JSR 339: JAX-RS 2.0: The Java(TM) API for RESTful Web Services

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\ws\rs\jboss-jaxrs-api_2.0_spec\1.0.0.Final\jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar
MD5: 1d46206cd0a2cc4664bec37af61b1c6d
SHA1: dbf29e00dee135ef537b94167aa08b883f4d4cbf
SHA256:311dc2530b1a8398f1def36f688e739f5261b2e13a9e4b4a577f9df821ce6569
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.0.Final  Confidence:Highest

jboss-annotations-api_1.2_spec-1.0.0.Final.jar

Description:

 JSR 250: Common Annotations for the Java(TM) Platform

License:

CDDL or GPLv2 with exceptions: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\annotation\jboss-annotations-api_1.2_spec\1.0.0.Final\jboss-annotations-api_1.2_spec-1.0.0.Final.jar
MD5: 5f6032592ce12619333ee3330cdebf08
SHA1: 6d7ff02a645227876ed550900d32d618b8f0d556
SHA256:bb979cac95ef2748bc85d4b8151bef88b9a203d03068fbe799c6e6162c950780
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final  Confidence:Highest

activation-1.1.1.jar

Description:

 The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: C:\Users\Queue\.m2\repository\javax\activation\activation\1.1.1\activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.activation:activation:1.1.1  Confidence:Highest

jcip-annotations-1.0.jar

File Path: C:\Users\Queue\.m2\repository\net\jcip\jcip-annotations\1.0\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
SHA256:be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.jcip:jcip-annotations:1.0  Confidence:Highest

resteasy-jaxb-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jaxb-provider\3.0.17.Final\resteasy-jaxb-provider-3.0.17.Final.jar
MD5: 27cd6c9548b862ff77e0008a82ed874d
SHA1: 897e60634f401548fd2d6289cc3cc3d10f80d08d
SHA256:76fd66235a2636ef46d5ee7096b72979a611a8499359922cb64b5fc57228e1e1
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxb-provider:3.0.17.Final  Confidence:Highest

resteasy-jackson-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jackson-provider\3.0.17.Final\resteasy-jackson-provider-3.0.17.Final.jar
MD5: 2e3a7678d2b47d0975cbffffa51df688
SHA1: e655ed57f11291947da4afe3e68086884ec1f131
SHA256:1cf728ac5ce3aaf1c9c26bdb3ab1639dd6a359b280f98c73eda1b3f4e67dd430
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jackson-provider:3.0.17.Final  Confidence:Highest

resteasy-atom-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-atom-provider\3.0.17.Final\resteasy-atom-provider-3.0.17.Final.jar
MD5: 57f174f1cabffb769e3088eb9613586f
SHA1: b19026890f8e259495faaf5b482f7e704a1f2bb1
SHA256:f89c35dd977ae4310ca19faf1a21a09380b0efd3f526ff067f4b481d76bada2d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-atom-provider:3.0.17.Final  Confidence:Highest

tjws-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\tjws\3.0.17.Final\tjws-3.0.17.Final.jar
MD5: c1b7beea201682c3d8da0cde1ee86840
SHA1: a29a2760a6649efdf3377077502be2673b88afb4
SHA256:df2f44d6716934912227bbf9ef24715a44e9e91336ba6f5468f160de5439e2bb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:tjws:3.0.17.Final  Confidence:Highest

geronimo-annotation_1.1_spec-1.0.1.jar

Description:

 Annotation spec 1.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-annotation_1.1_spec\1.0.1\geronimo-annotation_1.1_spec-1.0.1.jar
MD5: 0108e7a68a084e4cbd41520785028752
SHA1: db45e16df8f72e3d6bf2d0117cb5665176c1d520
SHA256:e384dd365fe3d0912af967343c094087f1443b569f4cfc7d1418f145d6b94667
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-annotation_1.1_spec:1.0.1  Confidence:Highest

artemis-aerogear-integration-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-aerogear-integration\1.3.0\artemis-aerogear-integration-1.3.0.jar
MD5: c7e2059d0903674ed723f42f931d7ef3
SHA1: 746b69aed19db2b4194caba60e9e39eb26f65d5b
SHA256:a545203c268864f2ad32b6ba84a184dd88c27206fe50116431e8c34dd4a5a5cc
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-aerogear-integration:1.3.0  Confidence:Highest

unifiedpush-java-client-1.0.0.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\aerogear\unifiedpush-java-client\1.0.0\unifiedpush-java-client-1.0.0.jar
MD5: e77842ba616db14852bc43b09456d1be
SHA1: 111e2c7ad74f316eb5020880961453c97ab5c29f
SHA256:88bdc63438c8b10aebd4c20ef9e5acf16bd3c942d55e290039e313ce7aabb02e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.aerogear:unifiedpush-java-client:1.0.0  Confidence:Highest

base64-2.3.8.jar

Description:

 A Java class providing very fast Base64 encoding and decoding 
               in the form of convenience methods and input/output streams.
  

License:

Public domain
File Path: C:\Users\Queue\.m2\repository\net\iharder\base64\2.3.8\base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256:bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.iharder:base64:2.3.8  Confidence:Highest

artemis-web-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-web\1.3.0\artemis-web-1.3.0.jar
MD5: ada0c4fc6ccc6a0cc21298f2048bd016
SHA1: d7884d96ce48abc8eb5bd9539727faa86fcd38c5
SHA256:05e1d54b918dcc26e09978550ce426ac786b5a96b7b6cc482e09b4196b5e3be5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-web:1.3.0  Confidence:Highest

artemis-core-client-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-core-client\1.3.0\artemis-core-client-1.3.0.jar
MD5: 0fd5d25eddd9b0a45141b28287810d30
SHA1: fb53acb9e9a0a7c11bb1ce3d9d95cbee633772c0
SHA256:23ac569407d51b811d8a26a47715ec6d7bfd34d830a81b2ca24b5c30bd9b452d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-core-client:1.3.0  Confidence:Highest

jgroups-3.6.9.Final.jar

Description:

 
        Reliable cluster communication toolkit
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\jgroups\jgroups\3.6.9.Final\jgroups-3.6.9.Final.jar
MD5: a61164494bd8dbdb27a1aa70677faba8
SHA1: 91f48c72e00e68dd48e048e1f008c58c89712dee
SHA256:006cb0ca4b7358e2ae778afe7f7056786fcd4d4b3b02ae7377bb778baf6be196
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jgroups:jgroups:3.6.9.Final  Confidence:Highest

artemis-amqp-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-amqp-protocol\1.3.0\artemis-amqp-protocol-1.3.0.jar
MD5: 5a6f9327ab04a5f2bb0f2226dfd27cc6
SHA1: 6fe1ffddd5a8e887ee25b03c88eb00cf3c86a5be
SHA256:2b621cbc20b2444f3c9d3e8c17f1836ed9e50bc7123e78c5a96f866e4d04b271
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-amqp-protocol:1.3.0  Confidence:Highest

artemis-proton-plug-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-proton-plug\1.3.0\artemis-proton-plug-1.3.0.jar
MD5: c649e71b3bcc7d6c70081611fd230ac6
SHA1: 4e472a369ddec52818b969ccda631aee699061e8
SHA256:91412a83c7d669744b52cd2c8cf18d7c290280ff631e16b0bb4969772180d3ac
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-proton-plug:1.3.0  Confidence:Highest

proton-j-0.12.2.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\qpid\proton-j\0.12.2\proton-j-0.12.2.jar
MD5: e59f6024878406130286ae9b035a4c0d
SHA1: ce444a16c864c8970569350616820708d994a082
SHA256:edd19e3344fe9e5a04a9a21acbea5d29ad2552a64775ce463f165214c01bbec6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2016-4467  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Vulnerable Software & Versions: (show all)

artemis-stomp-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-stomp-protocol\1.3.0\artemis-stomp-protocol-1.3.0.jar
MD5: e2d0b5dc0acfa670d2029ce1c0acd94b
SHA1: 28669270d3ac347b57cfbd6ffebf0e9cbbe5b283
SHA256:1c85762eecc2568ef0f261852d51559443e8cee25fd9c93a5334c14c6fa69118
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-stomp-protocol:1.3.0  Confidence:Highest

artemis-openwire-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-openwire-protocol\1.3.0\artemis-openwire-protocol-1.3.0.jar
MD5: 4fd564c8639bd754dd5d0790d2ee38f2
SHA1: 0c81b65024633b2d7e13097e5811c1dcd3d006b3
SHA256:929dda7a20d56713b7f3aa911e4f41d787696524c1235de6d8323f9f2c5adf68
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-openwire-protocol:1.3.0  Confidence:Highest

artemis-hornetq-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-hornetq-protocol\1.3.0\artemis-hornetq-protocol-1.3.0.jar
MD5: 7c907c261fbb6e9378066018250f9e0c
SHA1: 9c4a8f5493b1418328f8512bcda8e158a1c8ed09
SHA256:5d5b91cbbda5adb7faa351bf5328d00141510c8f087ce885a7d64d803eadd3b8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-hornetq-protocol:1.3.0  Confidence:Highest

artemis-hqclient-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-hqclient-protocol\1.3.0\artemis-hqclient-protocol-1.3.0.jar
MD5: f0fa90ae7505be526a6b7bb3775b60e2
SHA1: b5e8b1858a6e2061a0771777cf6ac724a07e468f
SHA256:65826f6b8fed473152de888933f66bc1d768b9b1dd57b850af4732c2ac1e5d06
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-hqclient-protocol:1.3.0  Confidence:Highest

artemis-mqtt-protocol-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-mqtt-protocol\1.3.0\artemis-mqtt-protocol-1.3.0.jar
MD5: 62e40ba5e22af5a1c775b8cb4243e8dd
SHA1: 05df059e92255c2c9f9096d0cfc14b38f8eea376
SHA256:8a3c505bdfc2af1934ffa34a5f4ad567f5439bce7ace2769e1bcf356d40b4c91
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-mqtt-protocol:1.3.0  Confidence:Highest

jboss-logging-processor-2.0.0.Alpha2.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging-processor\2.0.0.Alpha2\jboss-logging-processor-2.0.0.Alpha2.jar
MD5: abac374a7fcf527dd2bf42bacce94259
SHA1: 99ebc6bf188bed5f2f1e013643bc39f1833fabe6
SHA256:5f64eeb46d75dca27ed83eb1ad8f6b3a52c47d94935698ca76265e2460b82931
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging-processor:2.0.0.Alpha2  Confidence:Highest

jboss-logging-annotations-2.0.0.Alpha2.jar

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging-annotations\2.0.0.Alpha2\jboss-logging-annotations-2.0.0.Alpha2.jar
MD5: 667501a5323801c391e6574e0dfbcf09
SHA1: 1a3168fb4fcd8c0e7d5fb28590dd077e6df584b8
SHA256:ca3d60d719f222bbd09b9ba63145f8b0081b86fb93feae3f40c76bb26ffa66fa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging-annotations:2.0.0.Alpha2  Confidence:Highest

jdeparser-2.0.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\jdeparser\jdeparser\2.0.0.Final\jdeparser-2.0.0.Final.jar
MD5: 733a7f2c207b3f18bef02c64383c7026
SHA1: 71ec53d2ad72d6cb4e89653d66f65b3f8170870d
SHA256:eb19e6937115c08e00863ecaa5b40e77eff7fe8d86e9cc4a112247098f3cf598
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.jdeparser:jdeparser:2.0.0.Final  Confidence:Highest

artemis-native-1.3.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-native\1.3.0\artemis-native-1.3.0.jar
MD5: f49bcdad35757258beea20f28e58853d
SHA1: 50e61fa0cf4a7e39e23279a643be23c112c2fa35
SHA256:a57b001cdd39e10c8a1006d85c1803c64652211810e5c4080572ec6b0ccd5162
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-native:1.3.0  Confidence:Highest

artemis-jdbc-store-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jdbc-store\1.3.0\artemis-jdbc-store-1.3.0.jar
MD5: 1a7b797ae734e1cdd2140b424a03a4fd
SHA1: f53c64099f39a95a60d81953741ff6fee65c8cd2
SHA256:7c2659ad250402b231d2b89b16fd1c97a13efada93a8039cb7241599923d5d58
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jdbc-store:1.3.0  Confidence:Highest

artemis-website-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-website\1.3.0\artemis-website-1.3.0.jar
MD5: 5dbf3b8f900597f8c7796a40686b96a3
SHA1: 2f56caf7c6fe2b5d20f95ea17ebb8e5f77bbc841
SHA256:957d9453430fa8cb9a53204c4e52cdd0e4e7ec0711a92b94c55c5d1c5c1e3e98
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-website:1.3.0  Confidence:Highest

jboss-logmanager-2.0.3.Final.jar

Description:

 An implementation of java.util.logging.LogManager

License:

Apache License Version 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logmanager\jboss-logmanager\2.0.3.Final\jboss-logmanager-2.0.3.Final.jar
MD5: 05865e429caaecad906a11986294e52e
SHA1: 0d2c746f4d4e237339bda5dbf6914b27190c4347
SHA256:119f07f791768432ee0ae3dbada3063481eca1924c217d47290fe5c8cbbea579
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logmanager:jboss-logmanager:2.0.3.Final  Confidence:Highest

airline-0.7.jar

Description:

 Java annotation-based framework for parsing Git like command line structures

File Path: C:\Users\Queue\.m2\repository\io\airlift\airline\0.7\airline-0.7.jar
MD5: 74da3d8dd81d16835097bcc094227430
SHA1: 16edc11b7d2d09e2db512f8028f05b9c48532229
SHA256:2ebe3cc06cadee9273a9bdaff6b582e07c201c0bb44881760eed49861374756d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: io.airlift:airline:0.7  Confidence:Highest

annotations-2.0.3.jar

Description:

 Annotation supports the FindBugs tool

License:

GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\com\google\code\findbugs\annotations\2.0.3\annotations-2.0.3.jar
MD5: 276433efe0027762cffb7e4adc9262da
SHA1: 191383fa0deb88f393558eec231b206edc23aba0
SHA256:3ad1e8f838dbd6da3424a451d5d9262ea9c526eddb627b54b885cfd332efbc99
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.findbugs:annotations:2.0.3  Confidence:Highest

activemq-client-5.12.0.jar

Description:

 The ActiveMQ Client implementation

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\activemq-client\5.12.0\activemq-client-5.12.0.jar
MD5: 78d3ec919f95a26498eca206e5bee08e
SHA1: 6f27a6724365563e761fd7385046db0217717335
SHA256:d6033166f5a7764eba250d575ae80d3fe3bee99f53b34b4603174096acbba835
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2015-5182  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ.

Vulnerable Software & Versions:

CVE-2015-5183  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.

Vulnerable Software & Versions:

CVE-2015-5184  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.

Vulnerable Software & Versions:

CVE-2015-5254  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Vulnerable Software & Versions: (show all)

CVE-2016-0734  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Vulnerable Software & Versions: (show all)

CVE-2016-0782  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.

Vulnerable Software & Versions: (show all)

CVE-2016-3088  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Vulnerable Software & Versions:

CVE-2016-6810  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

Vulnerable Software & Versions: (show all)

CVE-2018-11775  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-254 7PK - Security Features

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Vulnerable Software & Versions: (show all)

geronimo-jms_1.1_spec-1.1.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jms_1.1_spec\1.1.1\geronimo-jms_1.1_spec-1.1.1.jar
MD5: d80ce71285696d36c1add1989b94f084
SHA1: c872b46c601d8dc03633288b81269f9e42762cea
SHA256:18d9ff7b9066aa99cf89843f5055d2fe58b1abe4346ee9df0daf4ac18ca232d7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1  Confidence:Highest

hawtbuf-1.11.jar

Description:

 HawtBuf: a rich byte buffer library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\hawtbuf\hawtbuf\1.11\hawtbuf-1.11.jar
MD5: a80061bd945ca0f13072861777ff27b1
SHA1: 8f0e50ad8bea37b84b698ec40cce09e47714a63e
SHA256:c6b45db967f3b2b3e28fd2f0724b1730a89d3f5aa9eef3664de29caba219593e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.fusesource.hawtbuf:hawtbuf:1.11  Confidence:Highest

geronimo-j2ee-management_1.1_spec-1.0.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-j2ee-management_1.1_spec\1.0.1\geronimo-j2ee-management_1.1_spec-1.0.1.jar
MD5: 7e1708a3b808e9749b5789668fd9ca8b
SHA1: 5372615b0c04c1913c95c34a0414cef720ca2855
SHA256:7ad780c72a92039bc07cbc09b6ee8d06571a1fbd92d4361a19a433d783b6e221
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec:1.0.1  Confidence:Highest

jetty-all-9.2.11.v20150529.jar

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.2.11.v20150529\jetty-all-9.2.11.v20150529.jar
MD5: ad30dc26b535069b48233e9dc1187057
SHA1: c833a4a3dbe78b8c07fe4bbef47582e959b6ba34
SHA256:03ffa7c7f87c4cd2c666be740922630283d20c7b0e8054d6f7c3204479f3c8b4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.11.v20150529  Confidence:Low  
  • maven: org.eclipse.jetty.aggregate:jetty-all:9.2.11.v20150529  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.2.11.v20150529  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax.websocket-api-1.0.jar

Description:

 JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\javax\websocket\javax.websocket-api\1.0\javax.websocket-api-1.0.jar
MD5: 510563ac69503be2d6cbb6d492a8027b
SHA1: fc843b649d4a1dcb0497669d262befa3918c7ba8
SHA256:dd93009fb5aa3798bcd9ab0492a292ddae0f0b1ed2e45a75867a9925c90e747a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.websocket:javax.websocket-api:1.0  Confidence:Highest

tomcat-servlet-api-8.0.23.jar

Description:

 javax.servlet package

License:

        Apache License, Version 2.0 and
        Common Development And Distribution License (CDDL) Version 1.0
      : 
        http://www.apache.org/licenses/LICENSE-2.0.txt and
        http://www.opensource.org/licenses/cddl1.txt
      
File Path: C:\Users\Queue\.m2\repository\org\apache\tomcat\tomcat-servlet-api\8.0.23\tomcat-servlet-api-8.0.23.jar
MD5: f57ce82729c4f2c1feb333715a0b8d2c
SHA1: fe715e33b2a6ddf2d77970fe280235d228132953
SHA256:7b505b39b8df8832a36421ef3f31937776673401dfd34e7357f8387332df03f9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.tomcat:tomcat-servlet-api:8.0.23  Confidence:Highest

commons-beanutils-1.9.2.jar

Description:

 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-beanutils\commons-beanutils\1.9.2\commons-beanutils-1.9.2.jar
MD5: 9f298a2d65e68184f9ebaa938bc12106
SHA1: 7a87d845ad3a155297e8f67d9008f4c1e5656b71
SHA256:23729e3a2677ed5fb164ec999ba3fcdde3f8460e5ed086b6a43d8b5d46998d42
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-beanutils:commons-beanutils:1.9.2  Confidence:Highest
  • cpe: cpe:/a:apache:commons_beanutils:1.9.2  Confidence:Low  

commons-logging-1.2.jar

Description:

 Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-logging:commons-logging:1.2  Confidence:Highest

netty-transport-5.0.0.Alpha2.jar

Description:

 Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\io\netty\netty-transport\5.0.0.Alpha2\netty-transport-5.0.0.Alpha2.jar
MD5: 1e57d11a0977140c1016de8d73786757
SHA1: 340af2e29f04c00a4bc54e9be3f058f2abb51c87
SHA256:66a5cf4eb21d87b3dd5028e5fb776760630707ed712fa34e74ac7e8f58f2cbed
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:netty_project:netty:5.0.0  Confidence:Low  
  • maven: io.netty:netty-transport:5.0.0.Alpha2  Confidence:Highest

red5-server-1.0.8-RELEASE.jar

Description:

 The Red5 server

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-server\1.0.8-RELEASE\red5-server-1.0.8-RELEASE.jar
MD5: 82e0ece5332d2989af22ad9f08404608
SHA1: 1aac3f5f408b634a7e4a1e33ba71c0ef7ffde69d
SHA256:fa5d579c5a3697027cfee36d5e53d7c2ff94df904ba43d63aaaebdc9930a80e0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-server:1.0.8-RELEASE  Confidence:Highest

slf4j-api-1.7.22.jar

Description:

 The slf4j API

File Path: C:\Users\Queue\.m2\repository\org\slf4j\slf4j-api\1.7.22\slf4j-api-1.7.22.jar
MD5: 897d990eb5463fd5288092524c105769
SHA1: a1c83373863cec7ae8d89dc1c5722d8cb6ec0309
SHA256:3a4cd4969015f3beb4b5b4d81dbafc01765fb60b8a439955ca64d8476fef553e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.22  Confidence:Low  
  • maven: org.slf4j:slf4j-api:1.7.22  Confidence:Highest

jcl-over-slf4j-1.7.22.jar

Description:

 JCL 1.1.1 implemented over SLF4J

File Path: C:\Users\Queue\.m2\repository\org\slf4j\jcl-over-slf4j\1.7.22\jcl-over-slf4j-1.7.22.jar
MD5: 87f0c69f2d86475c9dc8cfbde270fa4e
SHA1: 86ceac14535af5a42c8fb0d06d79b925dd3cb263
SHA256:e1ab57ae2e46a4a0dcbbd15b329187600b76ce54882834b4681b24f0c083cee0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.22  Confidence:Low  
  • maven: org.slf4j:jcl-over-slf4j:1.7.22  Confidence:Highest

jul-to-slf4j-1.7.22.jar

Description:

 JUL to SLF4J bridge

File Path: C:\Users\Queue\.m2\repository\org\slf4j\jul-to-slf4j\1.7.22\jul-to-slf4j-1.7.22.jar
MD5: df613082ad3cd4b37035401440fc5fbc
SHA1: b0429e950b3d2bc2c39c1bacafac753edbe3781c
SHA256:4d372bdee468471321d10476ea40e43dd56f07cccb4d899dba322162b63c42c1
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.22  Confidence:Low  
  • maven: org.slf4j:jul-to-slf4j:1.7.22  Confidence:Highest

log4j-over-slf4j-1.7.22.jar

Description:

 Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\slf4j\log4j-over-slf4j\1.7.22\log4j-over-slf4j-1.7.22.jar
MD5: d00b5cae2cdecebcc051d748f7a13ba0
SHA1: a527c37e9ca6c3d19ba298edd4aa344ca751a203
SHA256:219c52f9b4a0b2525c83b4f47cf7535a489f8d5a3a66c359b0916a2e110ee43c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.22  Confidence:Low  
  • maven: org.slf4j:log4j-over-slf4j:1.7.22  Confidence:Highest

logback-core-1.1.7.jar

Description:

 logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: C:\Users\Queue\.m2\repository\ch\qos\logback\logback-core\1.1.7\logback-core-1.1.7.jar
MD5: 4021551de5018dfa4b79ec553280f00a
SHA1: 7873092d39ef741575ca91378a6a21c388363ac8
SHA256:a500aedf2681fa4850e06698579140bb6233ee0e1878f98862b48ccca4b2f1de
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: ch.qos.logback:logback-core:1.1.7  Confidence:Highest
  • cpe: cpe:/a:logback:logback:1.1.7  Confidence:Low  

CVE-2017-5929  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Vulnerable Software & Versions:

spring-core-4.3.5.RELEASE.jar

Description:

 Spring Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-core\4.3.5.RELEASE\spring-core-4.3.5.RELEASE.jar
MD5: 32e14b156057115efa0c4bb1fe13eef5
SHA1: 80299e3f80e8c6d5c076db2ba6adf44a4b52f578
SHA256:94de0caefa5b70ecefce0c15678619cdb52a1d276e06b5a470e24c0af8bc41dc
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:4.3.5  Confidence:Highest  
  • maven: org.springframework:spring-core:4.3.5.RELEASE  Confidence:Highest
  • cpe: cpe:/a:pivotal:spring_framework:4.3.5  Confidence:Low  

CVE-2018-11039  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vulnerable Software & Versions: (show all)

red5-server-common-1.0.8-RELEASE.jar

Description:

 Classes common for multiple red5 projects

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-server-common\1.0.8-RELEASE\red5-server-common-1.0.8-RELEASE.jar
MD5: 34ccdc2f842998d6d90e0a6b3d42cecd
SHA1: a348f64b320faf119b67c7fa143ccd2c9ff3a235
SHA256:2abd5dd265661d45bbe2b7a2fc19d7cc92609bae8ab9720c0a02efa73b1feaf7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-server-common:1.0.8-RELEASE  Confidence:Highest

mina-core-2.0.16.jar

Description:

 Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily.  It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\apache\mina\mina-core\2.0.16\mina-core-2.0.16.jar
MD5: fd86528fa9d9ba8fb8c37e3ac28fa45f
SHA1: f720f17643eaa7b0fec07c1d7f6272972c02bba4
SHA256:5d864fb422b9f7f6f8038e713daeb0782d6af7263fb5a339a8b5d61b5d3b692d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.mina:mina-core:2.0.16  Confidence:Highest

commons-lang3-3.5.jar

Description:

 
  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-lang3\3.5\commons-lang3-3.5.jar
MD5: 780b5a8b72eebe6d0dbff1c11b5658fa
SHA1: 6c6c702c89bfff3cd9e80b04d668c5e190d588c6
SHA256:8ac96fc686512d777fca85e144f196cd7cfe0c0aec23127229497d1a38ff651c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.commons:commons-lang3:3.5  Confidence:Highest

bcprov-jdk15on-1.55.jar

Description:

 The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: C:\Users\Queue\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.55\bcprov-jdk15on-1.55.jar
MD5: cbf56e979aba0e551a57953080e115f0
SHA1: 935f2e57a00ec2c489cbd2ad830d4a399708f979
SHA256:c08450a176b55c7ef4847111550eb247e5912ad450c8c225fa2f7cab74ce608b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2016-1000338  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-347 Improper Verification of Cryptographic Signature

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Vulnerable Software & Versions:

CVE-2016-1000339  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Vulnerable Software & Versions:

CVE-2016-1000340  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Vulnerable Software & Versions: (show all)

CVE-2016-1000341  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-361 7PK - Time and State

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Vulnerable Software & Versions:

CVE-2016-1000342  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-347 Improper Verification of Cryptographic Signature

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Vulnerable Software & Versions:

CVE-2016-1000343  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

Vulnerable Software & Versions:

CVE-2016-1000344  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Vulnerable Software & Versions:

CVE-2016-1000345  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-361 7PK - Time and State

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Vulnerable Software & Versions:

CVE-2016-1000346  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-320 Key Management Errors

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Vulnerable Software & Versions:

CVE-2016-1000352  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Vulnerable Software & Versions:

CVE-2017-13098  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Vulnerable Software & Versions: (show all)

CVE-2018-1000180  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Vulnerable Software & Versions: (show all)

CVE-2018-1000613  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.

Vulnerable Software & Versions: (show all)

red5-io-1.0.8-RELEASE.jar

Description:

 The Red5 I/O library

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-io\1.0.8-RELEASE\red5-io-1.0.8-RELEASE.jar
MD5: 8f5d86b963c3aed6b765a9f95d2aaee7
SHA1: 39ced20c1c54afcabd1f6360b6bc5a918b550ed7
SHA256:1b5737356fc9b1d9b3439b2691a0780c466596897734a0f2cfa1a710515d905c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-io:1.0.8-RELEASE  Confidence:Highest

tika-core-1.14.jar

Description:

 This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
    includes the core facades for the Tika API.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\tika\tika-core\1.14\tika-core-1.14.jar
MD5: d86a1e930da97345b4130c03e8193f58
SHA1: afff8f1774994aa973ef90bc8d38ddf089b9d6d9
SHA256:6708c01d44378529afe509e19f0314bd65aa8d62c01ba577d1b6cdf7fcd5f3a7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:tika:1.14  Confidence:Highest  
  • maven: org.apache.tika:tika-core:1.14  Confidence:Highest

CVE-2018-1335  

Severity:High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1338  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1339  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-8017  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.

Vulnerable Software & Versions: (show all)

jmatio-1.2.jar

Description:

 Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA.

License:

BSD: http://www.linfo.org/bsdlicense.html
File Path: C:\Users\Queue\.m2\repository\org\tallison\jmatio\1.2\jmatio-1.2.jar
MD5: 237ce61a21ae9570ee5754fb5a54c57e
SHA1: 69d8f2f49c1503f9b15b0eb50b1905a734a025e2
SHA256:5dbcc1d2cda2ef85a4e780e3a082c3bfc17e2ade2ea0e5ffd27834a9f7668fc4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.tallison:jmatio:1.2  Confidence:Highest

apache-mime4j-core-0.7.2.jar

Description:

 Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\james\apache-mime4j-core\0.7.2\apache-mime4j-core-0.7.2.jar
MD5: 88f799546eca803c53eee01a4ce5edcd
SHA1: a81264fe0265ebe8fd1d8128aad06dc320de6eef
SHA256:4d7434c68f94b81a253c12f28e6bbb4d6239c361d6086a46e22e594bb43ac660
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.james:apache-mime4j-core:0.7.2  Confidence:Highest
  • cpe: cpe:/a:apache:james:0.7.2  Confidence:Low  

pdfbox-tools-2.0.3.jar

Description:

 
    The Apache PDFBox library is an open source Java tool for working with PDF documents. 
    This artefact contains commandline tools using Apache PDFBox.
  

File Path: C:\Users\Queue\.m2\repository\org\apache\pdfbox\pdfbox-tools\2.0.3\pdfbox-tools-2.0.3.jar
MD5: 5cb2d888358e6740d876e9a0ec6480f0
SHA1: f07038a406e2b4d7b4b21b306a16ebb04126fa2c
SHA256:cc5c5da822777babed23cf0de1e96f057548f5e2649b47d672ee27142d944590
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:pdfbox:2.0.3  Confidence:Low  
  • maven: org.apache.pdfbox:pdfbox-tools:2.0.3  Confidence:Highest

jempbox-1.8.12.jar

Description:

 
    The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
    specification. JempBox is a subproject of Apache PDFBox.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\pdfbox\jempbox\1.8.12\jempbox-1.8.12.jar
MD5: 8e65171dec17bf5939f539e60d2721c8
SHA1: 426450c573c19f6f2c751a7a52c11931b712c9f6
SHA256:6ef72ac07682eb7b6355024f535a7a45c8f289f6b11f531acfba225ad2503b52
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:pdfbox:1.8.12  Confidence:Low  
  • maven: org.apache.pdfbox:jempbox:1.8.12  Confidence:Highest

tagsoup-1.2.1.jar

Description:

 TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\ccil\cowan\tagsoup\tagsoup\1.2.1\tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
SHA256:ac97f7b4b1d8e9337edfa0e34044f8d0efe7223f6ad8f3a85d54cc1018ea2e04
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ccil.cowan.tagsoup:tagsoup:1.2.1  Confidence:Highest

asm-5.0.4.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm\5.0.4\asm-5.0.4.jar
MD5: c8a73cdfdf802ab0220c860d590d0f84
SHA1: 0da08b8cce7bbf903602a25a3a163ae252435795
SHA256:896618ed8ae62702521a78bc7be42b7c491a08e6920a15f89a3ecdec31e9a220
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ow2.asm:asm:5.0.4  Confidence:Highest

metadata-extractor-2.9.1.jar

Description:

 Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\drewnoakes\metadata-extractor\2.9.1\metadata-extractor-2.9.1.jar
MD5: 2ca081a3d5fc1bcfbb51cc11808a8b88
SHA1: 53fdf22be10c9d426ec63431c7342895bc642261
SHA256:4d7382568a5e5aac96c261d8fd67b030a533982ecac563e8ed4f327831f0b024
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.drewnoakes:metadata-extractor:2.9.1  Confidence:Highest
  • cpe: cpe:/a:id:id-software:2.9.1  Confidence:Low  

xmpcore-5.1.2.jar

Description:

 
    The XMP Library for Java is based on the C++ XMPCore library
    and the API is similar.
  

License:

The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html
File Path: C:\Users\Queue\.m2\repository\com\adobe\xmp\xmpcore\5.1.2\xmpcore-5.1.2.jar
MD5: 0b2cf2a09d32abdedd17de864e93ad25
SHA1: 55615fa2582424e38705487d1d3969af8554f637
SHA256:0adcd63003aaff0a87b938f6accc2d890a2169c751a9b36881237f8546287090
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.adobe.xmp:xmpcore:5.1.2  Confidence:Highest

boilerpipe-1.1.0.jar

Description:

 The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.

The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.

Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.

Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.

The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.
  

License:

Apache License 2.0
File Path: C:\Users\Queue\.m2\repository\de\l3s\boilerpipe\boilerpipe\1.1.0\boilerpipe-1.1.0.jar
MD5: 0616568083786d0f49e2cb07a5d09fe4
SHA1: f62cb75ed52455a9e68d1d05b84c500673340eb2
SHA256:088203df4326c4dcc42cec1253a2b41e03dc8904984eae744543b48e2cc63846
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: de.l3s.boilerpipe:boilerpipe:1.1.0  Confidence:Highest
  • cpe: cpe:/a:html-pages_project:html-pages:1.1.0  Confidence:Low  

rome-1.5.1.jar

Description:

 All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
        easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
        (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
        a set of parsers and generators for the various flavors of feeds, as well as converters
        to convert from one format to another. The parsers can give you back Java objects that
        are either specific for the format you want to work with, or a generic normalized
        SyndFeed object that lets you work on with the data without bothering about the
        underlying format.
    

File Path: C:\Users\Queue\.m2\repository\com\rometools\rome\1.5.1\rome-1.5.1.jar
MD5: 07039d4b871513942d0495311947275f
SHA1: cc3489f066749bede7fc81f4e80c0d8c9534a210
SHA256:0f754b6886c3c97e1ca8ccd6c94de383a14908cd6f1e68b6ab951af016e8b23f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.rometools:rome:1.5.1  Confidence:Highest

rome-utils-1.5.1.jar

Description:

 Utility classes for ROME projects

File Path: C:\Users\Queue\.m2\repository\com\rometools\rome-utils\1.5.1\rome-utils-1.5.1.jar
MD5: ba0f0958cbbacd734b383038c3dcb0ef
SHA1: 3a3d6473a2f5d55fb31bf6c269af963fdea13b54
SHA256:8267802f2f959558a7974ea754c2d80d3e1c813d24045c066c539664d8422be2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.rometools:rome-utils:1.5.1  Confidence:Highest

juniversalchardet-1.0.3.jar

Description:

 Java port of universalchardet

License:

Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: C:\Users\Queue\.m2\repository\com\googlecode\juniversalchardet\juniversalchardet\1.0.3\juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
SHA256:757bfe906193b8b651e79dc26cd67d6b55d0770a2cdfb0381591504f779d4a76
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.googlecode.juniversalchardet:juniversalchardet:1.0.3  Confidence:Highest

ehcache-core-2.6.11.jar

Description:

 This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\net\sf\ehcache\ehcache-core\2.6.11\ehcache-core-2.6.11.jar
MD5: 81840aace00ec514154d6dac91ba43e5
SHA1: fae7f84a5ffabe1b814e40190650c0ad5aeda5b1
SHA256:ffe3580aadb6e07f86e49e326f3402fe8dfbf3470eb2782d68507bd31d75af88
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.ehcache:ehcache-core:2.6.11  Confidence:Highest

isoparser-1.1.17.jar

Description:

 A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
    

License:

Apache Software License - Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\googlecode\mp4parser\isoparser\1.1.17\isoparser-1.1.17.jar
MD5: b6a1b862200f1dae892e448ec7cd6228
SHA1: d80bcd7e583d1e1b4904fa0bb0d6d21995a7ca69
SHA256:0ec1366a796ab52758696bb23e7066458b196bc50e699adbf3d5c10044db59a9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.googlecode.mp4parser:isoparser:1.1.17  Confidence:Highest

red5-service-1.0.8-RELEASE.jar

Description:

 The Red5 server service daemon

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-service\1.0.8-RELEASE\red5-service-1.0.8-RELEASE.jar
MD5: 744d91a48f0f02077cbed0c27fe09eea
SHA1: ec1d5b779b7249b14be02ba9673daeab7a0b6fcc
SHA256:68afa48cd9a6d6315699f5a2aba1e810acd2da8905dd3879cdde16eafb9b8700
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-service:1.0.8-RELEASE  Confidence:Highest

commons-daemon-1.0.15.jar

Description:

 
     Apache Commons Daemon software provides an alternative invocation mechanism for unix-daemon-like Java code.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15.jar
MD5: 631bfc43cf5f601d34f1f5ea16751061
SHA1: 275b3f1efc36c6a5c276440a96a489f4ff90fa8a
SHA256:61a8f2b067b3ae8b3684669509250faffedbcfabd50f055bbe60c3fd5f0eb01e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-daemon:commons-daemon:1.0.15  Confidence:Highest
  • cpe: cpe:/a:apache:apache_commons_daemon:1.0.15  Confidence:Low  

mina-integration-beans-2.0.16.jar

Description:

 Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily.  It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\apache\mina\mina-integration-beans\2.0.16\mina-integration-beans-2.0.16.jar
MD5: fb54998e33f6f411c566201d91407e13
SHA1: 47446b0070acf6f82fe99366a1424adf4f9b2d35
SHA256:4a31916661a61105dfb86fa4f6e5a3ab3c45151a99a64de8c1ac1d1bd574efa9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.mina:mina-integration-beans:2.0.16  Confidence:Highest

quartz-2.2.3.jar

Description:

 Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0
File Path: C:\Users\Queue\.m2\repository\org\quartz-scheduler\quartz\2.2.3\quartz-2.2.3.jar
MD5: fc28f0ac6b94137d7e45872db3428d0d
SHA1: d4d8ea088852beeb89f54d3040fe1cbaa8491dcd
SHA256:0d37f02a2565b4942c81bc82e170ebb7755fb59a527c5231cff0143aa5e96144
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.quartz-scheduler:quartz:2.2.3  Confidence:Highest

nifi-api-1.3.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\nifi\nifi-api\1.3.0\nifi-api-1.3.0.jar
MD5: 6e6e82283d1b3d44b98e7d057e2554d4
SHA1: d04c78e6c9b7f78c6afb56847ee250b746cbc10b
SHA256:8b46e28c7de2b2d2446eaf1938f3c0fd677465cf08f7b94c77765d3f671fa192
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.nifi:nifi-api:1.3.0  Confidence:Highest
  • cpe: cpe:/a:apache:nifi:1.3.0  Confidence:Highest  

CVE-2017-12623  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Vulnerable Software & Versions: (show all)

CVE-2017-12632  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Vulnerable Software & Versions:

javax.json-api-1.1.2.jar

Description:

 API module of JSR 374:Java API for Processing JSON

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: C:\Users\Queue\.m2\repository\javax\json\javax.json-api\1.1.2\javax.json-api-1.1.2.jar
MD5: a59d2f385dbd8f6561235dfa8d81a559
SHA1: b38c52a6e180359108bd5e35dbeec7d1be45c535
SHA256:228759defdf40d1cb94112c81e4ae505a4c7c26dc217723be4f7d48a5579703d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.json:javax.json-api:1.1.2  Confidence:Highest

vdx-core-1.1.6.jar

Description:

 VDX Core utils

File Path: C:\Users\Queue\.m2\repository\org\projectodd\vdx\vdx-core\1.1.6\vdx-core-1.1.6.jar
MD5: c70bf1942e0effa588f97875d166b6e2
SHA1: f685489cc2abe5882eb139840589be2ab6e322b8
SHA256:f3d39ec8d90afabc2687cdf116ad5ba22efe8e0a7103fd560a137ad897905155
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.projectodd.vdx:vdx-core:1.1.6  Confidence:Highest

vdx-wildfly-1.1.6.jar

Description:

 VDX WildFly support

File Path: C:\Users\Queue\.m2\repository\org\projectodd\vdx\vdx-wildfly\1.1.6\vdx-wildfly-1.1.6.jar
MD5: 50874b3628f0c6ba64271ea3e7c154f7
SHA1: 2dac020b2e9b17f2d2ecba8d1b96f102624c07ab
SHA256:9a1691be89ef00d889f181e955dd9632c9edcaf82274bf525c1a1a5f057108bd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.1.6  Confidence:Low  
  • maven: org.projectodd.vdx:vdx-wildfly:1.1.6  Confidence:Highest

undertow-core-2.0.9.Final.jar

Description:

 Undertow

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\io\undertow\undertow-core\2.0.9.Final\undertow-core-2.0.9.Final.jar
MD5: f15bec5970e94104b9c6f87908f42ccd
SHA1: 380095d9381d93fc914a6c4890d71edc00b580ce
SHA256:c61365fe7efcf9dbeac8cefc189a649a5c09b614519cad0893a1b4cb53fe41ac
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: io.undertow:undertow-core:2.0.9.Final  Confidence:Highest

cal10n-api-0.8.1.jar

Description:

 Compiler assisted localization library (CAL10N)

File Path: C:\Users\Queue\.m2\repository\ch\qos\cal10n\cal10n-api\0.8.1\cal10n-api-0.8.1.jar
MD5: a5e1938f597d3536baae45e06f7b82b2
SHA1: 496e5f330af47a811c497d637e03f1b8d8cdc2b0
SHA256:b7a110770766cd2742eba4ee894713b17e69262841f8aeea8b3d1a666fb7d260
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: ch.qos.cal10n:cal10n-api:0.8.1  Confidence:Highest

woodstox-core-5.0.3.jar

Description:

 
        Woodstox is a high-performance XML processor that
        implements Stax (JSR-173), SAX2 and Stax2 APIs
    

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\woodstox\woodstox-core\5.0.3\woodstox-core-5.0.3.jar
MD5: 8b151bd3d262d9c07e0384b7cc6c4cd9
SHA1: 10aa199207fda142eff01cd61c69244877d71770
SHA256:a1c04b64fbfe20ae9f2c60a3bf1633fed6688ae31935b6bd4a457a1bbb2e82d4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.fasterxml.woodstox:woodstox-core:5.0.3  Confidence:Highest

javax.json-1.1.2.jar

Description:

 Default provider for JSR 374:Java API for Processing JSON

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: C:\Users\Queue\.m2\repository\org\glassfish\javax.json\1.1.2\javax.json-1.1.2.jar
MD5: 09593edb57fd9bcf8ce58f9bd031e308
SHA1: a507518970d55e9de24665af06d70aae91b4aaa1
SHA256:3cf736d446cc66090a50c975d2e56bf18bcabd7b7bb8ff87d514fc0b17099c85
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.glassfish:javax.json:1.1.2  Confidence:Highest

stax2-api-3.1.4.jar

Description:

 tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
  

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\org\codehaus\woodstox\stax2-api\3.1.4\stax2-api-3.1.4.jar
MD5: c08e89de601b0a78f941b2c29db565c3
SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
SHA256:86d7c0b775a7c9b454cc6ba61d40a8eb3b99cc129f832eb9b977a3755b4b338e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.codehaus.woodstox:stax2-api:3.1.4  Confidence:Highest

jandex-2.0.5.Final.jar

Description:

 Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jandex\2.0.5.Final\jandex-2.0.5.Final.jar
MD5: 8faa3033123cfc8470107d2ae4ebe76d
SHA1: 7060f67764565b9ee9d467e3ed0cb8a9c601b23a
SHA256:9112a9c33175b8c64b999ecf47b649fdf1cd6fa8262d0677895e976ed2891f0b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jandex:2.0.5.Final  Confidence:Highest

jboss-dmr-1.5.0.Final.jar

License:

GNU Lesser General Public License v2.1 only: http://repository.jboss.org/licenses/lgpl-2.1.txt
Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jboss-dmr\1.5.0.Final\jboss-dmr-1.5.0.Final.jar
MD5: 597af8c7b37a672708d72655572268bc
SHA1: 99bff2167539a969f3d20d2633ad49d16322e39b
SHA256:cbbe302464ff99bc0656be2343958f3eb7a4ffc575e03bb7399fccbb327be6c5
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jboss-dmr:1.5.0.Final  Confidence:Highest

staxmapper-1.3.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\staxmapper\1.3.0.Final\staxmapper-1.3.0.Final.jar
MD5: 50a1b373e630786c967c917d00d4733e
SHA1: 61c6f36255b014db28dac8e399b6c9e40c93b1d6
SHA256:2376327e0d63f8c815589e830d7e384dd8903928dbaee8ecdfc873ebef6ff335
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:staxmapper:1.3.0.Final  Confidence:Highest

jboss-interceptors-api_1.2_spec-1.0.1.Final.jar

Description:

 The Java(TM) EE  Interceptors 1.2 API classes from JSR 318.

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\interceptor\jboss-interceptors-api_1.2_spec\1.0.1.Final\jboss-interceptors-api_1.2_spec-1.0.1.Final.jar
MD5: 20603cc0b95e5a896fd17fde277dbd57
SHA1: c8d2eba1110f989d706c363156a9448f576bb0be
SHA256:67992eb8f5b2e056b180fa67c2ba8c3adf736a67c6da3d4b91d948a0a97d3bba
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.2_spec:1.0.1.Final  Confidence:Highest

jboss-jacc-api_1.5_spec-1.0.2.Final.jar

Description:

 JSR-000115 Java(TM) Authorization Contract for Containers API

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\security\jacc\jboss-jacc-api_1.5_spec\1.0.2.Final\jboss-jacc-api_1.5_spec-1.0.2.Final.jar
MD5: ea09f0c6ba3f8113f15897614133ba6f
SHA1: 8fa08aafdc4d9aa9cbf429aac1cbdede06b3f070
SHA256:37fdb37be8c731138d7d5f01eba2c25042f3fa455b09f13af908afe76e3e885c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.spec.javax.security.jacc:jboss-jacc-api_1.5_spec:1.0.2.Final  Confidence:Highest

jboss-classfilewriter-1.2.2.Final.jar

Description:

 A bytecode writer that creates .class files at runtime

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\classfilewriter\jboss-classfilewriter\1.2.2.Final\jboss-classfilewriter-1.2.2.Final.jar
MD5: 4da88757f87f27f9946f82326e27dc05
SHA1: 3be9add66342ea3c7525195fb2f4fbdae388140e
SHA256:c34e3601d0379374256d6f04f2938f668e92c0c6d7f12d4651e592a3e41b3fd2
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.classfilewriter:jboss-classfilewriter:1.2.2.Final  Confidence:Highest

jboss-vfs-3.2.12.Final.jar

Description:

 A VFS library

License:

asl: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jboss-vfs\3.2.12.Final\jboss-vfs-3.2.12.Final.jar
MD5: ebf760b5642da68e894b2536e324573c
SHA1: 51dcc622354dd0fc6eb7a42d499b68c4e345632c
SHA256:60ca73f106f41289572c00e5e4e619d3823af58c66d299926617679adec7206e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jboss-vfs:3.2.12.Final  Confidence:Highest

aesh-readline-1.7.jar

File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-readline\1.7\aesh-readline-1.7.jar
MD5: 61d3b8c34974d40c706ce41530e79310
SHA1: 2a49951f7412c263ea5d1e3c6dc1155fbd68269b
SHA256:edcd91d92ce16ef208cde9170cdf3f1f3d8824685515f3e44cda6437dc967d2d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-readline:1.7  Confidence:Highest

aesh-extensions-1.3.jar

Description:

 Commands that may be used as part of a Æsh program

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-extensions\1.3\aesh-extensions-1.3.jar
MD5: fb733689e12bfdbc1a5d2463dc6f6dfd
SHA1: 6c943b0fcfb584e2f480b01a9dd41fa2c4d8fa0c
SHA256:81775e13c7c0d6cafbf2287219533d34b1bad8029bab81a167b9edff3b14ea70
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-extensions:1.3  Confidence:Highest

aesh-1.4.jar

Description:

 Æsh (Another Extendable SHell)

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh\1.4\aesh-1.4.jar
MD5: 2df1b21a7ac9fb5a329b73ea356c5833
SHA1: 3c80d375e50f8a63f4279442dbbee72bfc1db3e3
SHA256:8accf747e6060953ffa9add15e19b8c2b4592a7ebb98a4bd2c6058e73674b86b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh:1.4  Confidence:Highest

jboss-invocation-1.5.1.Final.jar

Description:

 Invocation Application Programming Interface

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\invocation\jboss-invocation\1.5.1.Final\jboss-invocation-1.5.1.Final.jar
MD5: b9ecddaf54f952a2003278e2fb7f104c
SHA1: 2ae006f489a673f7c0e70b07c26621cb7782ee88
SHA256:da89206eae128f95a70e87d26ddf3e45282bc696fc537d12b38efe4268c663b8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.invocation:jboss-invocation:1.5.1.Final  Confidence:Highest

jboss-logging-3.3.1.Final.jar

Description:

 The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging\3.3.1.Final\jboss-logging-3.3.1.Final.jar
MD5: 93cf8945ff84aaf9f0ed9a76991338fb
SHA1: c46217ab74b532568c0ed31dc599db3048bd1b67
SHA256:9f7d8b884370763b131bf48a0fc91edec89ad80e0e40c47658098a686a905bb2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging:3.3.1.Final  Confidence:Highest

jul-to-slf4j-stub-1.0.1.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jul-to-slf4j-stub\1.0.1.Final\jul-to-slf4j-stub-1.0.1.Final.jar
MD5: ba879de98275bb09d3377d80c5dd0a83
SHA1: 4399b60dd598134860176c93f17b0acdfd3c8ad7
SHA256:a80e5c33b6791aad4e06898d5b541d46cf30242c0a3f7a7debc439b05f94929f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logging:jul-to-slf4j-stub:1.0.1.Final  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.0.1  Confidence:Low  

commons-logging-jboss-logging-1.0.0.Final.jar

Description:

 Apache Commons Logging to JBoss Logging implementation

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\commons-logging-jboss-logging\1.0.0.Final\commons-logging-jboss-logging-1.0.0.Final.jar
MD5: 46328c16f47be35563b73425d456445a
SHA1: 27a4e823d661bde67ec103bba2baf33cddde6e75
SHA256:f12176263ea25f4e78bb4fa4b36d335a29738dde6a8123e1b6da89a655d150ff
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logging:commons-logging-jboss-logging:1.0.0.Final  Confidence:Highest

log4j-jboss-logmanager-1.1.4.Final.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logmanager\log4j-jboss-logmanager\1.1.4.Final\log4j-jboss-logmanager-1.1.4.Final.jar
MD5: a7414bbac9e47fbf5c49391e3536bc66
SHA1: b7bc82a4444eed4293e277ff40f566a93883c866
SHA256:518e879a56994a7c45b9ebeaa23599c6747dd23c88e5ac4d009195384f21d3ab
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logmanager:log4j-jboss-logmanager:1.1.4.Final  Confidence:Highest

jboss-marshalling-2.0.5.Final.jar

Description:

 JBoss Marshalling API

File Path: C:\Users\Queue\.m2\repository\org\jboss\marshalling\jboss-marshalling\2.0.5.Final\jboss-marshalling-2.0.5.Final.jar
MD5: aa3cdb0cdf0e315c1bb2e66cf168cee4
SHA1: f9325ec0a4c306e41eac10a855fb91f950e0a38b
SHA256:cb64060648b804b70e4a76e0253eab62aa2be115509445c33aaedc0e01296520
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling:2.0.5.Final  Confidence:Highest

jboss-marshalling-river-2.0.5.Final.jar

Description:

 JBoss Marshalling River Implementation

File Path: C:\Users\Queue\.m2\repository\org\jboss\marshalling\jboss-marshalling-river\2.0.5.Final\jboss-marshalling-river-2.0.5.Final.jar
MD5: 3de4eff75963e987593b2c73312b7570
SHA1: beb5a6a14edd053cb6ce1821c1c90777231ee410
SHA256:ef9e9ca4c59a4e1870749307df085203e82825785813f7e102070994c0230727
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling-river:2.0.5.Final  Confidence:Highest

jboss-modules-1.8.5.Final.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
Indiana University Extreme! Lab Software License 1.1.1: http://www.bearcave.com/software/java/xml/xmlpull_license.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\modules\jboss-modules\1.8.5.Final\jboss-modules-1.8.5.Final.jar
MD5: 692fc17e96b9c03f65db3179e8bb8e44
SHA1: 41c7ebc95fcb0cabaca5712ed8117564a0e0f22e
SHA256:a924bca49508687a6ed1dc2b1749a902367a02df53b1fd2d10f89947560c51d9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.modules:jboss-modules:1.8.5.Final  Confidence:Highest

jboss-msc-1.4.2.Final.jar

License:

GNU Lesser General Public License v2.1 only: http://repository.jboss.org/licenses/lgpl-2.1.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\msc\jboss-msc\1.4.2.Final\jboss-msc-1.4.2.Final.jar
MD5: 8eaa22824196eed626587e2f770c249d
SHA1: 162d02da9cc18791249dfbea7d9db779b3e46684
SHA256:5bd6caab984241baec88a405f2f24a31ffb6ef2332411f533d80875c7ec8076c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.msc:jboss-msc:1.4.2.Final  Confidence:Highest

jboss-remoting-5.0.7.Final.jar

Description:

 JBoss Remoting

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\remoting\jboss-remoting\5.0.7.Final\jboss-remoting-5.0.7.Final.jar
MD5: db968724e786e165ff99f34c38d57871
SHA1: 09413c8f0b5e8345662923416425dffde10c77cf
SHA256:74ab247884101c86faf448f5ae0e89a1fcffaf19f63b732dfebed819f460a8b9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.remoting:jboss-remoting:5.0.7.Final  Confidence:Highest

remoting-jmx-3.0.0.Final.jar

License:

GNU Lesser General Public License v2.1 or later: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\remotingjmx\remoting-jmx\3.0.0.Final\remoting-jmx-3.0.0.Final.jar
MD5: f94abd3b2ed79ceecdd197b43be23766
SHA1: f17201e2092f0fc03c1b61b632f1344f51045ead
SHA256:244c8492baaa16dcf392324f5b00dd3ddf4162a3664f9952b8a46e09d7e9527b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.remotingjmx:remoting-jmx:3.0.0.Final  Confidence:Highest

slf4j-jboss-logmanager-1.0.3.GA.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\slf4j\slf4j-jboss-logmanager\1.0.3.GA\slf4j-jboss-logmanager-1.0.3.GA.jar
MD5: 66e36c7f3b36b3b8932e7bcbc38df374
SHA1: 1488ce0a2d0c1d2edaecce476279c23252047034
SHA256:f49e2d2cc2e1a3b2777aa874479ce4bf24f6a2b3bf60a639e4675a767f2d8b41
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.0.3  Confidence:Low  
  • maven: org.jboss.slf4j:slf4j-jboss-logmanager:1.0.3.GA  Confidence:Highest

jboss-stdio-1.0.2.GA.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\stdio\jboss-stdio\1.0.2.GA\jboss-stdio-1.0.2.GA.jar
MD5: 66b64b84e74f26ad07f3434cd55c1269
SHA1: 709a076a3c74bc93809138b691dbd0e90cbc67a7
SHA256:faaef15cd41f4ef8fd7d85bd4e414b909e48b8c95547476139dc855c2d108d0e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.stdio:jboss-stdio:1.0.2.GA  Confidence:Highest

jboss-threads-2.3.2.Final.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\threads\jboss-threads\2.3.2.Final\jboss-threads-2.3.2.Final.jar
MD5: fde56cbf672e640a0b70c3c1869006ec
SHA1: 72123d97ace01dd48e7d096ed1908b0d70c2a7d5
SHA256:94bcb8221092315875c2d715e12b0a549aa03024bf3954ea2dd313fabe68d97c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.threads:jboss-threads:2.3.2.Final  Confidence:Highest

xnio-api-3.6.3.Final.jar

Description:

 The API JAR of the XNIO project

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\xnio\xnio-api\3.6.3.Final\xnio-api-3.6.3.Final.jar
MD5: 20c3ebc99c52bc7b14a99d18f44d9620
SHA1: 24e7702a42048192185d762eaf392da14fffb260
SHA256:9e1d9e56a35540c329b2d8d602261c85c1bf420c9026d8b6ed8e013ae3e8fa57
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.xnio:xnio-api:3.6.3.Final  Confidence:Highest

xnio-nio-3.6.3.Final.jar

Description:

 The NIO implementation of the XNIO project

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\xnio\xnio-nio\3.6.3.Final\xnio-nio-3.6.3.Final.jar
MD5: 365b060607cbfd0d11b030360f74a53f
SHA1: b4586af0c64ebaf4547f21a3a494fc1c073b6039
SHA256:e7f63e52aa2236948a255a91fef583deb285123c88b277a1fba6fa664c46e0ef
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.xnio:xnio-nio:3.6.3.Final  Confidence:Highest

jansi-1.16.jar

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar
MD5: dcd0f8872d723085a680692ff353f5da
SHA1: b1aaf0028852164ab6b4057192ccd0ba7dedd3a5
SHA256:7f3523cc23afe8ecb14511d5bcbd0285af4311c64e450d74d407eeb22861a112
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.jansi:jansi:1.16  Confidence:Highest

wildfly-common-1.4.0.Final.jar

Description:

 Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\common\wildfly-common\1.4.0.Final\wildfly-common-1.4.0.Final.jar
MD5: 95b653f8c2a991905c7add932b361968
SHA1: f5cf8710427cc347f407bb232b88cc2c95e2d38f
SHA256:5de1de2b61ff2be500ab2de94eadd51cbf52d3074f9909f9a5046ae587cd26e3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.common:wildfly-common:1.4.0.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.4.0  Confidence:Low  

wildfly-openssl-java-1.0.6.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-java\1.0.6.Final\wildfly-openssl-java-1.0.6.Final.jar
MD5: af809c06b5d9ad4f7f980e3c6fc662e8
SHA1: 90306c6b40b1382eb26b63fa7669bdc38b6bc592
SHA256:96e733f0b7acffc6a7f90496615d7ecba84e8651c41efd4a8255339901729969
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.0.6  Confidence:Low  
  • cpe: cpe:/a:openssl_project:openssl:1.0.6  Confidence:Low  
  • maven: org.wildfly.openssl:wildfly-openssl-java:1.0.6.Final  Confidence:Highest
  • cpe: cpe:/a:openssl:openssl:1.0.6  Confidence:Low  

CVE-1999-0428  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Vulnerable Software & Versions: (show all)

CVE-2007-5536  

Severity:Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

Vulnerable Software & Versions:

CVE-2009-0590  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Vulnerable Software & Versions: (show all)

CVE-2013-0169  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Vulnerable Software & Versions: (show all)

CVE-2016-7055  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-320 Key Management Errors

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

Vulnerable Software & Versions: (show all)

CVE-2018-12433  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model.

Vulnerable Software & Versions: (show all)

CVE-2018-12437  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Vulnerable Software & Versions: (show all)

CVE-2018-12438  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Vulnerable Software & Versions: (show all)

wildfly-core-security-5.0.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\core\wildfly-core-security\5.0.0.Final\wildfly-core-security-5.0.0.Final.jar
MD5: c8cff17e179a4aff85a9f3024e1024fb
SHA1: d28c543dfe78ef840111c493e0bc79f85b2eb229
SHA256:3416b768674890803a1afbe6eb83866e179d325f2838fe3ac41130bd186b7dfe
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:5.0.0  Confidence:Low  
  • maven: org.wildfly.core:wildfly-core-security:5.0.0.Final  Confidence:Highest

wildfly-elytron-1.3.3.Final.jar

Description:

 WildFly Security SPIs

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\wildfly-elytron\1.3.3.Final\wildfly-elytron-1.3.3.Final.jar
MD5: 5a3bd51099e09853a331a6b01f886e51
SHA1: 8058f8302b9f2e52184d01ebe989dad917eece34
SHA256:abd7522da4381e3080ad4ac3861d27f0ccc42979a3e2d6069aa28f1e1f7dbddb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.3.3  Confidence:Low  
  • maven: org.wildfly.security:wildfly-elytron:1.3.3.Final  Confidence:Highest

wildfly-elytron-tool-1.2.2.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\wildfly-elytron-tool\1.2.2.Final\wildfly-elytron-tool-1.2.2.Final.jar
MD5: 7dfc8e7d8120c817799109eb316a1244
SHA1: e6ebef9668943212627a3c87423e86bec71580ea
SHA256:04bf91d4cb0fe57c5d23b7f00b91d7859634d480bac267f91f49f47a67040ab1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.2.2  Confidence:Low  
  • maven: org.wildfly.security:wildfly-elytron-tool:1.2.2.Final  Confidence:Highest

undertow-server-1.1.0.Final.jar

Description:

 Integration project for integrating Elytron based HTTP authentication with Undertow.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\elytron-web\undertow-server\1.1.0.Final\undertow-server-1.1.0.Final.jar
MD5: f5980d524dcf594604c47e155121fcda
SHA1: 57f808501b507e9371f09d1654fbe79efd3aa33d
SHA256:04540254a79ad3fd9186ec5d97bd82219bfb8b2463e942cc31229c27b68a4cae
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.security.elytron-web:undertow-server:1.1.0.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.1.0  Confidence:Low  

wildfly-client-config-1.0.0.Final.jar

Description:

 Library for supporting WildFly common client configuration

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\client\wildfly-client-config\1.0.0.Final\wildfly-client-config-1.0.0.Final.jar
MD5: 3ff0e5e88af3b01db09cfc64c840f4e7
SHA1: b2a9bcecdeb8c00f383e023e16ab2d2aeb437df9
SHA256:94cf3f99aa8d6b08826e2db4f3b3898d08165005b7757580f61885cd6795b9af
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.client:wildfly-client-config:1.0.0.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.0.0  Confidence:Low  

wildfly-discovery-client-1.1.1.Final.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\discovery\wildfly-discovery-client\1.1.1.Final\wildfly-discovery-client-1.1.1.Final.jar
MD5: 0c7b0f016fd48396393dc39747359480
SHA1: 4b241accf5b03010a3c34e899f2301fada801a46
SHA256:e241e9a83900f64776b78b2385514fb0083990b4d73ae6150216f91b1b04593f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.discovery:wildfly-discovery-client:1.1.1.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.1.1  Confidence:Low  

xercesImpl-2.11.0.SP5.jar

Description:

 
    Xerces2 is the next generation of high performance, fully compliant XML parsers in the
    Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
    a complete framework for building parser components and configurations that is extremely
    modular and easy to program. The Apache Xerces2 parser is the reference implementation of
    XNI but other parser components, configurations, and parsers can be written using the Xerces
    Native Interface. For complete design and implementation documents, refer to the XNI Manual.
    Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental
    implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009)
    and an experimental implementation of the XML Schema Definition Language (XSD): Component
    Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For
    more information, refer to the XML Schema page. Xerces2 also provides a complete
    implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations
    and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation.
    It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents
    written according to the XML 1.1 Recommendation, except that it does not yet provide an
    option to enable normalization checking as described in section 2.13 of this specification.
    It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will
    correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\xerces\xercesImpl\2.11.0.SP5\xercesImpl-2.11.0.SP5.jar
MD5: 372700501713f8ce444b085f8aac8159
SHA1: a1c4ea1ce804b443ceffd7529e09dfa2e3c5540b
SHA256:365cbfd4d22fb4bee179e091eb9daeecb0464e8b9a99dd4948290d5f8d2585f9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:xerces2_java:2.11.0.sp5  Confidence:Low  
  • maven: xerces:xercesImpl:2.11.0.SP5  Confidence:Highest

xml-resolver-1.2.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier.

File Path: C:\Users\Queue\.m2\repository\xml-resolver\xml-resolver\1.2\xml-resolver-1.2.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: xml-resolver:xml-resolver:1.2  Confidence:Highest

kafka_2.12-1.0.0.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\kafka\kafka_2.12\1.0.0\kafka_2.12-1.0.0.jar
MD5: 3fb1413707fcece983c9059dbf2a3954
SHA1: ad01b6db4f88c6fef905e35e6fcea48a9d86fe6b
SHA256:93c2912cd060775bbef66e52dbdb5c54efa1246228f5de5caa7fb6b2328fb891
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:kafka:1.0.0  Confidence:Highest  
  • maven: org.apache.kafka:kafka_2.12:1.0.0  Confidence:Highest

CVE-2018-1288  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-200 Information Exposure

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Vulnerable Software & Versions: (show all)

lz4-java-1.4.jar

Description:

 Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\lz4\lz4-java\1.4\lz4-java-1.4.jar
MD5: 642fc4c01a1a4f8c40bf0a5a1d279cf0
SHA1: 9bedb74f461a87ff2161bdf0778ad8ca6bad3e1c
SHA256:9ed51eb236340cab58780ed7d20741ff812bcb3875beb974fa7cf9ddea272358
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.lz4:lz4-java:1.4  Confidence:Highest

snappy-java-1.1.4.jar

Description:

 snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.4\snappy-java-1.1.4.jar
MD5: 4853706ccb86ab5dda6a8295cde4b54f
SHA1: d94ae6d7d27242eaa4b6c323f881edbb98e48da6
SHA256:f75ec0fa9c843e236c6e1512c17c095cfffd175f32e21ea0e3eccb540d77f002
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.xerial.snappy:snappy-java:1.1.4  Confidence:Highest

jackson-databind-2.9.1.jar

Description:

 General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-databind\2.9.1\jackson-databind-2.9.1.jar
MD5: 88d151266214f04685a7b5630cb3f55a
SHA1: 716da1830a2043f18882fc036ec26eb32cbe5aff
SHA256:17b28ec21ae487bb9a0570b6c0ec66b2277d47546d4089c3a5a2b3e60054134c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson-databind:2.9.1  Confidence:Highest  
  • maven: com.fasterxml.jackson.core:jackson-databind:2.9.1  Confidence:Highest
  • cpe: cpe:/a:fasterxml:jackson:2.9.1  Confidence:Low  

CVE-2017-17485  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

CVE-2018-5968  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Vulnerable Software & Versions: (show all)

CVE-2018-7489  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

jackson-annotations-2.9.0.jar

Description:

 Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-annotations\2.9.0\jackson-annotations-2.9.0.jar
MD5: c09faa1b063681cf45706c6df50685b6
SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701
SHA256:45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.fasterxml.jackson.core:jackson-annotations:2.9.0  Confidence:Highest
  • cpe: cpe:/a:fasterxml:jackson:2.9.0  Confidence:Low  

jackson-core-2.9.1.jar

Description:

 Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-core\2.9.1\jackson-core-2.9.1.jar
MD5: 55648b70ec039342d62c18e86a2294da
SHA1: 60077fe98b11e4e7cf8af9b20609326a166d6ac4
SHA256:782e7efa27452f76f7e1191c166613bfbec785ac73ffb5504d323f07f3b1700e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.9.1  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-core:2.9.1  Confidence:Highest

jopt-simple-5.0.4.jar

Description:

 A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\net\sf\jopt-simple\jopt-simple\5.0.4\jopt-simple-5.0.4.jar
MD5: eb0d9dffe9b0eddead68fe678be76c49
SHA1: 4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c
SHA256:df26cc58f235f477db07f753ba5a3ab243ebe5789d9f89ecf68dd62ea9a66c28
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.jopt-simple:jopt-simple:5.0.4  Confidence:Highest

metrics-core-2.2.0.jar

File Path: C:\Users\Queue\.m2\repository\com\yammer\metrics\metrics-core\2.2.0\metrics-core-2.2.0.jar
MD5: e9f8554d1924149fbfbdd9a8b345dfbd
SHA1: f82c035cfa786d3cbec362c38c22a5f5b1bc8724
SHA256:6b7a14a6f34c10f8683f7b5e2f39df0f07b58c7dff0e468ebbc713905c46979c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.yammer.metrics:metrics-core:2.2.0  Confidence:Highest

scala-library-2.12.3.jar

Description:

 Standard library for the Scala Programming Language

License:

BSD 3-Clause: http://www.scala-lang.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\scala-lang\scala-library\2.12.3\scala-library-2.12.3.jar
MD5: e06916a907feee903774972e00e27839
SHA1: f2e496f21af2d80b48e0a61773f84c3a76a0d06f
SHA256:a8dd181a996dcc53a8c0bbb554bef7a1a9017ca09a377603167cf15444a85404
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2017-15288  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.

Vulnerable Software & Versions: (show all)

slf4j-log4j12-1.7.25.jar

Description:

 SLF4J LOG4J-12 Binding

File Path: C:\Users\Queue\.m2\repository\org\slf4j\slf4j-log4j12\1.7.25\slf4j-log4j12-1.7.25.jar
MD5: 7f16ba3b1ab6a781c3f6887eae7b608d
SHA1: 110cefe2df103412849d72ef7a67e4e91e4266b4
SHA256:ddb343954deb6f046f862606c534178730c02ed23d0b7f6ca1012c1e3fa74273
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.slf4j:slf4j-log4j12:1.7.25  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.7.25  Confidence:Low  

zkclient-0.10.jar

Description:

 A zookeeper client, that makes life a little easier.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\101tec\zkclient\0.10\zkclient-0.10.jar
MD5: d403d66b9b02fbd34db3ce0ad8870f9c
SHA1: c54d4b5a5e89af75a80b6d5857400165ce5188d0
SHA256:26e988b8bba838c724fd8350b331ee8b5ffc59c3a9c074df115c4c3a6c843878
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.101tec:zkclient:0.10  Confidence:Highest

zookeeper-3.4.10.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\zookeeper\zookeeper\3.4.10\zookeeper-3.4.10.jar
MD5: 550ce0afeb92ef4a75f194b143e23995
SHA1: 08eebdbb7a9df83e02eaa42d0e5da0b57bf2e4da
SHA256:caa38ce6b2f52c59c10b80f89abb544cc4279257805fc0c969010cbab1a11079
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.zookeeper:zookeeper:3.4.10  Confidence:Highest
  • cpe: cpe:/a:apache:zookeeper:3.4.10  Confidence:Low  

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

orc-core-1.4.3.jar

Description:

 
    The core reader and writer for ORC files. Uses the vectorized column batch
    for the in memory representation.
  

File Path: C:\Users\Queue\.m2\repository\org\apache\orc\orc-core\1.4.3\orc-core-1.4.3.jar
MD5: 98576317ca19e49f1b1bc4ec6493b901
SHA1: 4906a140c708269582ba2b659ba3a7062f580533
SHA256:5f0422ce6a354db35bdc57fc169e1cac5a51c8039d088e1ffdae23ea1ae24e66
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.orc:orc-core:1.4.3  Confidence:Highest

protobuf-java-2.5.0.jar

Description:

 
    Protocol Buffers are a way of encoding structured data in an efficient yet
    extensible format.
  

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\com\google\protobuf\protobuf-java\2.5.0\protobuf-java-2.5.0.jar
MD5: a44473b98947e2a54c54e0db1387d137
SHA1: a10732c76bfacdbd633a7eb0f7968b1059a65dfa
SHA256:e0c1c64575c005601725e7c6a02cebf9e1285e888f756b2a1d73ffa8d725cc74
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

commons-lang-2.6.jar

Description:

 
        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-lang\commons-lang\2.6\commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-lang:commons-lang:2.6  Confidence:Highest

aircompressor-0.8.jar

Description:

 Compression algorithms

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\io\airlift\aircompressor\0.8\aircompressor-0.8.jar
MD5: 21a730eeeaf42f5f17ce531e8f6a314c
SHA1: e2516b38b6674adcc730a90a59cfd861c1da3e7e
SHA256:5ff153975c0d9be96ad454ddffdbfb1d2492f5e1fa342ea51950e0bdec3f8aef
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: io.airlift:aircompressor:0.8  Confidence:Highest

hive-storage-api-2.2.1.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\hive\hive-storage-api\2.2.1\hive-storage-api-2.2.1.jar
MD5: 74823981797a3db5af9b6d5af68d6146
SHA1: 57c9cfcabeb865ad41e6fdd92a46434803188494
SHA256:7b0e44425f86f2e15623ef12a688972327b545501012561a23cf9819bbc16286
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:hive:2.2.1  Confidence:Low  
  • maven: org.apache.hive:hive-storage-api:2.2.1  Confidence:Highest

camel-core-2.19.3.jar

Description:

 The Core Camel Java DSL based router

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\camel\camel-core\2.19.3\camel-core-2.19.3.jar
MD5: 0924007a4f7dc89e13ee8deb2e479894
SHA1: 61b3ef9305ebf02915e82dd62c939a86bfd37cb1
SHA256:454ac9cb5a9c2d58fdec03a34fcfa013cac0c2a4d46c82c7d06abc998a21702c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:camel:2.19.3  Confidence:Low  
  • maven: org.apache.camel:camel-core:2.19.3  Confidence:Highest

jaxb-core-2.2.11.jar

Description:

 Old JAXB Core module. Contains sources required by XJC, JXC and Runtime modules with dependencies.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.2.11\jaxb-core-2.2.11.jar
MD5: c5eca4e58a75eabe3379926803421bab
SHA1: c3f87d654f8d5943cd08592f3f758856544d279a
SHA256:b13da0c655a3d590a2a945553648c407e6347648c9f7a3f811b7b3a8a1974baa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.xml.bind:jaxb-core:2.2.11  Confidence:Highest

jaxb-impl-2.2.11.jar

Description:

 Old JAXB Runtime module. Contains sources required for runtime processing.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-impl\2.2.11\jaxb-impl-2.2.11.jar
MD5: bea06b3ee5ef2c338beac9187b7782f3
SHA1: a49ce57aee680f9435f49ba6ef427d38c93247a6
SHA256:f91793a96f185a2fc004c86a37086f060985854ce6b19935e03c4de51e3201d2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.xml.bind:jaxb-impl:2.2.11  Confidence:Highest

jenkins-core-2.19.jar

Description:

 Jenkins core code and view files to render HTML.

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\jenkins-core\2.19\jenkins-core-2.19.jar
MD5: 3b8db3bfa980ec4e42f79719be8a5464
SHA1: db0de9ad96cc4e9755f427109572988e630487dd
SHA256:0f08b7bab8b732757a93d042e8d5a141b7ab67448bb66b8d7701091f238aeecc
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci.main:jenkins-core:2.19  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:2.19  Confidence:Highest  

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2598  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-326 Inadequate Encryption Strength

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Vulnerable Software & Versions: (show all)

CVE-2017-2599  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-275 Permission Issues

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

Vulnerable Software & Versions: (show all)

CVE-2017-2600  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

Vulnerable Software & Versions: (show all)

CVE-2017-2601  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

Vulnerable Software & Versions: (show all)

CVE-2017-2602  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).

Vulnerable Software & Versions: (show all)

CVE-2017-2603  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).

Vulnerable Software & Versions: (show all)

CVE-2017-2604  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

Vulnerable Software & Versions: (show all)

CVE-2017-2606  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Vulnerable Software & Versions: (show all)

CVE-2017-2607  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

Vulnerable Software & Versions: (show all)

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2017-2609  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

Vulnerable Software & Versions: (show all)

CVE-2017-2610  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).

Vulnerable Software & Versions: (show all)

CVE-2017-2611  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-275 Permission Issues

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

Vulnerable Software & Versions: (show all)

CVE-2017-2612  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-254 7PK - Security Features

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.

Vulnerable Software & Versions: (show all)

CVE-2017-2613  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

CVE-2018-6356  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Vulnerable Software & Versions: (show all)

icon-set-1.0.5.jar

Description:

 
    Contains Jenkins icon-set code relied upon by both Jenkins Core and the icon "shim" plugin.
  

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\plugins\icon-shim\icon-set\1.0.5\icon-set-1.0.5.jar
MD5: 60bebae291441885f0d35d141450cdf5
SHA1: dedc76ac61797dafc66f31e8507d65b98c9e57df
SHA256:5466e23ef32d050545c602b5b37646fd3425b3ddf20d7b4ae60103759d8aad35
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.0.5  Confidence:Low  
  • maven: org.jenkins-ci.plugins.icon-shim:icon-set:1.0.5  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

remoting-2.62.jar

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\remoting\2.62\remoting-2.62.jar
MD5: ae60ef6e4bf108e5fd2a782e345d3207
SHA1: 83178dfad5d48ca476c42a6b05dd976792309a27
SHA256:f11c0b354c2934bb3fb08409b17183f033ba3ef08c28d26c2a68ebdab90d36bd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

CVE-2018-6356  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Vulnerable Software & Versions: (show all)

constant-pool-scanner-1.2.jar

Description:

 Simple utility to scan Java bytecode for class references in the constant pool.

License:

NetBeans CDDL/GPL: http://www.netbeans.org/cddl-gplv2.html
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\constant-pool-scanner\1.2\constant-pool-scanner-1.2.jar
MD5: a04ea81d440c7f10523b898c90dee1c9
SHA1: e5e0b7c7fcb67767dbd195e0ca1f0ee9406dd423
SHA256:375c4c5e95e91efc61233696ab4803454b01833665d1ab6f72c2f2c646fb1511
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:constant-pool-scanner:1.2  Confidence:Highest

cli-2.19.jar

Description:

 Command line interface for Jenkins

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\cli\2.19\cli-2.19.jar
MD5: 350ce57c5d23431f380419c808b787f0
SHA1: 9a1040ac05d8b4b08ba128ebf8821b047eb68ddc
SHA256:b8f8353797610b0a429be1b97d3bce592a77e2b6ad50d7783b94d533039b9488
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2598  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-326 Inadequate Encryption Strength

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Vulnerable Software & Versions: (show all)

CVE-2017-2599  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-275 Permission Issues

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

Vulnerable Software & Versions: (show all)

CVE-2017-2600  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

Vulnerable Software & Versions: (show all)

CVE-2017-2601  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

Vulnerable Software & Versions: (show all)

CVE-2017-2602  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).

Vulnerable Software & Versions: (show all)

CVE-2017-2603  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).

Vulnerable Software & Versions: (show all)

CVE-2017-2604  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

Vulnerable Software & Versions: (show all)

CVE-2017-2606  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Vulnerable Software & Versions: (show all)

CVE-2017-2607  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

Vulnerable Software & Versions: (show all)

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2017-2609  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

Vulnerable Software & Versions: (show all)

CVE-2017-2610  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).

Vulnerable Software & Versions: (show all)

CVE-2017-2611  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-275 Permission Issues

Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

Vulnerable Software & Versions: (show all)

CVE-2017-2612  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:N/I:P/A:P)
CWE: CWE-254 7PK - Security Features

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.

Vulnerable Software & Versions: (show all)

CVE-2017-2613  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

CVE-2018-6356  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Vulnerable Software & Versions: (show all)

version-number-1.1.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\version-number\1.1\version-number-1.1.jar
MD5: 09f7aa040d72c6793acf2a2197f17d07
SHA1: 19aaa284b3abaeb64c226bf6b5cb25b8ddf7379e
SHA256:b0b887dff8dca653d07eeaf9aed3e5918fb2f4b9a2500184687dd19d899b1f57
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:version-number:1.1  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.1  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

crypto-util-1.1.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\crypto-util\1.1\crypto-util-1.1.jar
MD5: cbc79ca21a2445ee9486d8c21bf417d9
SHA1: 3a199a4c3748012b9dbbf3080097dc9f302493d8
SHA256:9392781f12743306cd7bb300d04263c3e71964885db6a8245b6dc095b96cd139
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1  Confidence:Low  
  • maven: org.jenkins-ci:crypto-util:1.1  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

jtidy-4aug2000r7-dev-hudson-1.jar

Description:

 
    JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin,
    JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM parser
    for real-world HTML.
  
    Hudson modifications:
    =====================
    Removed SAX APIs
  

License:

Java HTML Tidy License: http://svn.sourceforge.net/viewvc/*checkout*/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\jtidy\4aug2000r7-dev-hudson-1\jtidy-4aug2000r7-dev-hudson-1.jar
MD5: 1f014d4bfe25ab914f8bc45eb9371d10
SHA1: ad8553d0acfa6e741d21d5b2c2beb737972ab7c7
SHA256:d9fdeb9be5b7b53a10a50cf70629288c039f219bb4b0cfd407354ebf4f163884
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:jtidy:4aug2000r7-dev-hudson-1  Confidence:Highest
  • cpe: cpe:/a:html-tidy:tidy:-  Confidence:Low  

guice-4.0-beta.jar

Description:

 
    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    This project is a complete packaging of all the Guava libraries
    into a single jar.  Individual portions of Guava can be used
    by downloading the appropriate module and its dependencies.

    Guava (complete) has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\inject\guice\4.0-beta\guice-4.0-beta.jar
MD5: aec2b4f01e28e86bb8cac61b672dd16d
SHA1: a82be989679df08b66d48b42659a3ca2daaf1d5b
SHA256:0b4344c09b9d639d8ee715efc1e384d81251645fa7496bf72381a1585589525d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:google:guava:11.0.1  Confidence:Highest  
  • maven: com.google.guava:guava:11.0.1  Confidence:High
  • maven: com.google.inject:guice:4.0-beta  Confidence:Highest

CVE-2018-10237  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Vulnerable Software & Versions: (show all)

aopalliance-1.0.jar

Description:

 AOP Alliance

License:

Public Domain
File Path: C:\Users\Queue\.m2\repository\aopalliance\aopalliance\1.0\aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: aopalliance:aopalliance:1.0  Confidence:Highest

jna-posix-1.0.3-jenkins-1.jar

Description:

 
    Common cross-project/cross-platform POSIX APIs
  

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\org\jruby\ext\posix\jna-posix\1.0.3-jenkins-1\jna-posix-1.0.3-jenkins-1.jar
MD5: 1a21cb979328da73fb57c78da7ce99b9
SHA1: fb1148cc8192614ec1418d414f7b6026cc0ec71b
SHA256:a19f5d74168127165ab3f74561f64d22085fcfe674c4b063edfa0bb1130cd0c4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jruby.ext.posix:jna-posix:1.0.3-jenkins-1  Confidence:Highest
  • cpe: cpe:/a:jruby:jruby:1.0.3  Confidence:Highest  

CVE-2010-1330  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

CVE-2011-4838  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2012-5370  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

jnr-posix-3.0.1.jar

Description:

 
    Common cross-project/cross-platform POSIX APIs
  

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-posix\3.0.1\jnr-posix-3.0.1.jar
MD5: 4b72ad6a01e0b8c2668484e6c54c42f9
SHA1: 5ac18caed12108123c959c8acedef76ca4f28cb3
SHA256:e7ca6a8767bd91c9bf7d823068da28cba48a1c94f278c5b5240e1f3d93bfae22
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-posix:3.0.1  Confidence:Highest

jnr-ffi-1.0.7.jar

Description:

 A library for invoking native functions from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-ffi\1.0.7\jnr-ffi-1.0.7.jar
MD5: 73aeea2ddd36d6ec128802868e23ef1d
SHA1: ad98d2f600f0e680a4fb41bcb4a60078deb6f735
SHA256:ff61301e564326a5898532dc8dfd164ec51cd2eb02849ba8165d1194deb3ce16
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-ffi:1.0.7  Confidence:Highest

jffi-1.2.7.jar

Description:

 Java Foreign Function Interface

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.7\jffi-1.2.7.jar
MD5: e06351d38c8893bac3d0e54f0b095e14
SHA1: acda5c46140404e08b3526f39db1504874b34b4c
SHA256:a7675011e87b677cf3b58e6122e4981c75d981516567eaac748815f0b76f2d9e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jffi:1.2.7  Confidence:Highest

jffi-1.2.7-native.jar

File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.7\jffi-1.2.7-native.jar
MD5: 812c5384ea62208236321244dcab54ad
SHA1: 4e8c876383acb37da4347902a0a775aefd51de09
SHA256:a79a6b907c9954990b8385ab6152c7e82a0535566b59d7443378ef088c143c38
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jffi:1.2.7  Confidence:Highest

asm-commons-4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-commons\4.0\asm-commons-4.0.jar
MD5: b6e6837fed04d4a7bad291caad8756ea
SHA1: a839ec6737d2b5ba7d1878e1a596b8f58aa545d9
SHA256:b4b8881f518c8a4b1293cddfd7102c5364d6faf874ed7dc26b9686fd1e9ff66c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-commons:4.0  Confidence:Highest

asm-analysis-4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-analysis\4.0\asm-analysis-4.0.jar
MD5: ed783bcce7e90ec10c3deaa0944d3974
SHA1: 1c45d52b6f6c638db13cf3ac12adeb56b254cdd7
SHA256:dd5397abaf57231049acb101c451e598a947a5dd1829832779535cfdc2baf14e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-analysis:4.0  Confidence:Highest

asm-tree-4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-tree\4.0\asm-tree-4.0.jar
MD5: 2911ebc15a90c3efc248671a2d511e98
SHA1: 67bd266cd17adcee486b76952ece4cc85fe248b8
SHA256:d8b016a2205b2e141db426c041d2ae6d0d41bad050062a2a5175a259d36417da
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-tree:4.0  Confidence:Highest

asm-util-4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-util\4.0\asm-util-4.0.jar
MD5: 9b2e40069a269939c471a0b2c3c833ce
SHA1: d7a65f54cda284f9706a750c23d64830bb740c39
SHA256:3759ca392783ab2b28c7378969c7363a903dfd122749e12d9bbaab577478aeff
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-util:4.0  Confidence:Highest

jnr-x86asm-1.0.2.jar

Description:

 A pure-java X86 and X86_64 assembler

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-x86asm\1.0.2\jnr-x86asm-1.0.2.jar
MD5: 00670735acb2a9d1421b506dc7d338bc
SHA1: 006936bbd6c5b235665d87bd450f5e13b52d4b48
SHA256:39f3675b910e6e9b93825f8284bec9f4ad3044cd20a6f7c8ff9e2f8695ebf21e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-x86asm:1.0.2  Confidence:Highest

jnr-constants-0.8.5.jar

Description:

 A set of platform constants (e.g. errno values)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-constants\0.8.5\jnr-constants-0.8.5.jar
MD5: cc7709e3bacd8fc5820726cd9dba542a
SHA1: f84cca9e21f1f763a9eaf33de3d6a66a20ed7af0
SHA256:041dcfd74278363004c497b1ea1248a53e436fbff2d50ecc93601618af9ef9ba
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-constants:0.8.5  Confidence:Highest

trilead-putty-extension-1.2.jar

Description:

 Loads SSH key in the PuTTY format

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\trilead-putty-extension\1.2\trilead-putty-extension-1.2.jar
MD5: aef481868db6ebe61a4cf38a6cdff1ee
SHA1: 0f2f41517e1f73be8e319da27a69e0dc0c524bf6
SHA256:bda184d64b933a6f9c3588102e66f32f69d2e73575df486ff835c30695c432c6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:trilead-putty-extension:1.2  Confidence:Highest
  • cpe: cpe:/a:putty:putty:1.2  Confidence:Low  

trilead-ssh2-build217-jenkins-8.jar

Description:

 Ganymed SSH2 for Java is a library which implements the SSH-2 protocol in pure Java

License:

BSD style license: http://www.ganymed.ethz.ch/ssh2/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\trilead-ssh2\build217-jenkins-8\trilead-ssh2-build217-jenkins-8.jar
MD5: 0bf76311a4187d0d9f8f27654856357f
SHA1: 4dbc5f2ebb271b35ea23a221fe76053d4348fa2d
SHA256:1e1165233f2914fc1b0640b5d164e922be20f49fcd68144e83288bfd155551d1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:trilead-ssh2:build217-jenkins-8  Confidence:Highest
  • cpe: cpe:/a:jenkins:ssh:-  Confidence:Low  

CVE-2017-1000245  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

Vulnerable Software & Versions:

stapler-groovy-1.243.jar

Description:

 Groovy binding for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-groovy\1.243\stapler-groovy-1.243.jar
MD5: 1e96cad88a22c78eac25b3d6f843c52b
SHA1: fd58017e6e07ba413c92f01616a06027540fd529
SHA256:1cc5b9476d820627ebf655391e21bff8ef7ca75d4621649aaa32dfb1c7b08b89
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-groovy:1.243  Confidence:Highest

stapler-jelly-1.243.jar

Description:

 Jelly binding for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-jelly\1.243\stapler-jelly-1.243.jar
MD5: 9d0eeb50b5b1e64fd4a1bc0d61ce2b0b
SHA1: ebde6fc553fa2fa278a9805eebfc916057711918
SHA256:796bb7ce727e667767c1c5d56b250961c95435164d3a354a62469d3b51c82598
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-jelly:1.243  Confidence:Highest

commons-jelly-1.1-jenkins-20120928.jar

Description:

 Jelly is a Java and XML based scripting engine. Jelly combines the best ideas from JSTL, Velocity, DVSL, Ant and Cocoon all together in a simple yet powerful scripting engine.

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\commons-jelly\1.1-jenkins-20120928\commons-jelly-1.1-jenkins-20120928.jar
MD5: c0fc39ae35a97354654267c12d4f86c1
SHA1: 2720a0d54b7f32479b08970d7738041362e1f410
SHA256:73dc26fd3fb5b45006266cc2aa1d8cfa784d0e4406dc635881cf2670e502e97e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:commons-jelly:1.1  Confidence:Low  
  • maven: org.jenkins-ci:commons-jelly:1.1-jenkins-20120928  Confidence:Highest

dom4j-1.6.1-jenkins-4.jar

Description:

 dom4j: the flexible XML framework for Java

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\dom4j\dom4j\1.6.1-jenkins-4\dom4j-1.6.1-jenkins-4.jar
MD5: 4dc597b3ac3d2fb40a444a66e7bfebad
SHA1: 9a370b2010b5a1223c7a43dae6c05226918e17b1
SHA256:266389dc65896f73950c4c75ad42e3ee9f839ded8e6c76479ed11103fb25b547
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2018-1000632  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

stapler-jrebel-1.243.jar

Description:

 JRebel reloading support for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-jrebel\1.243\stapler-jrebel-1.243.jar
MD5: de781a657d37783a6e309a448c9896b5
SHA1: 5d76d9c1869f729ee258ec5219c5bf09f652bc2e
SHA256:19b80b2417b2af521ec426dbda863e2a518ad5524bae229d11649affdcb2e24d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-jrebel:1.243  Confidence:Highest

stapler-1.243.jar

Description:

 Stapler HTTP request handling engine

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler\1.243\stapler-1.243.jar
MD5: 829c4e7c729dec2bceee8b8b4963890f
SHA1: f70aeeee9a99d6ea1ecef82f2c2016a1db8b6fcd
SHA256:fdd7add36859f0f010d455d027f3cd72b816aa84ebe27f40457b2d3be4457fb9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler:1.243  Confidence:Highest

javax.annotation-api-1.2.jar

Description:

 Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\annotation\javax.annotation-api\1.2\javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.annotation:javax.annotation-api:1.2  Confidence:Highest

commons-discovery-0.4.jar

Description:

 Commons Discovery

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\commons-discovery\commons-discovery\0.4\commons-discovery-0.4.jar
MD5: cdbb606faa974f9361a85d6df53aeb9f
SHA1: 9e3417d3866d9f71e83b959b229b35dc723c7bea
SHA256:97d264e2f98821c4cd39eacfd597b4dc7c19d4232cf1f335fc2eab389b2d92fd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-discovery:commons-discovery:0.4  Confidence:Highest

tiger-types-2.2.jar

License:

CDDL/GPLv2 dual license: http://www.opensource.org/licenses/cddl1.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\tiger-types\2.2\tiger-types-2.2.jar
MD5: dcc9eb485a88b85473fc70752a4a8473
SHA1: 7ddc6bbc8ca59be8879d3a943bf77517ec190f39
SHA256:37af58e5972b3a6678f0dca5932fae99cbe12c73f00f35b939c2ac27e791034c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet:tiger-types:2.2  Confidence:Highest

windows-package-checker-1.2.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\windows-package-checker\1.2\windows-package-checker-1.2.jar
MD5: d940ebb88b630260d295bb50246c3553
SHA1: 86b5d2f9023633808d65dbcfdfd50dc5ad3ca31f
SHA256:602f868ff050409f9cd5e9ced3a53c44f8ac7faca105b66d40a47dcc76f5a68f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:windows-package-checker:1.2  Confidence:Highest

stapler-adjunct-zeroclipboard-1.3.5-1.jar

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-zeroclipboard\1.3.5-1\stapler-adjunct-zeroclipboard-1.3.5-1.jar
MD5: 2fa83c1a4c2ba8c7253224fefe72f307
SHA1: 20184ea79888b55b6629e4479615b52f88b55173
SHA256:2116fb55ae05710db2a86f379f18617de3148f595c46a31d461833397540d3e8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-zeroclipboard:1.3.5-1  Confidence:Highest
  • cpe: cpe:/a:zeroclipboard_project:zeroclipboard:1.3.5.1  Confidence:Low  

stapler-adjunct-timeline-1.4.jar

License:

BSD License: http://simile.mit.edu/license.html
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-timeline\1.4\stapler-adjunct-timeline-1.4.jar
MD5: 39d5639b773184162378c855e7ea3f3e
SHA1: cb4664390d5f2fff8b4cdaee7d358b965be67fac
SHA256:00c8aac72fae3a652b9dae30e7cd98cbc82ae5e257b70cc7a8f5a4463946689d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-timeline:1.4  Confidence:Highest

stapler-adjunct-codemirror-1.3.jar

License:

MIT License: http://codemirror.net/LICENSE
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-codemirror\1.3\stapler-adjunct-codemirror-1.3.jar
MD5: 5ebb241efd642d6985b89d56b8d640c8
SHA1: fd1d45544400d2a4da6dfee9e60edd4ec3368806
SHA256:86805045ff832db5dd30bce3a3303c8004d2373a495556a06a61bc107518d7cc
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-codemirror:1.3  Confidence:Highest

bridge-method-annotation-1.13.jar

File Path: C:\Users\Queue\.m2\repository\com\infradna\tool\bridge-method-annotation\1.13\bridge-method-annotation-1.13.jar
MD5: 2ee1c4c795c0c749988760d3f3b14ff5
SHA1: 18cdce50cde6f54ee5390d0907384f72183ff0fe
SHA256:2bc0d11e078c6ee0c0f9a781aa12d9f2d78807e1c026952f834ca77cfaa1dd04
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.infradna.tool:bridge-method-annotation:1.13  Confidence:Highest

json-lib-2.4-jenkins-2.jar

Description:

 
      Java library for transforming beans, maps, collections, java
      arrays and XML to JSON.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\json-lib\2.4-jenkins-2\json-lib-2.4-jenkins-2.jar
MD5: 89af908e408eedc0c3abd5a1a08e29de
SHA1: 7f4f9016d8c8b316ecbe68afe7c26df06d301366
SHA256:2ba2ac0f4e73e8f2a485903a014371bc2f72e3074d78970a97f4a5c8ff64551b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:json-lib:2.4-jenkins-2  Confidence:Highest

ezmorph-1.0.6.jar

Description:

 
      Simple java library for transforming an Object to another Object.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\sf\ezmorph\ezmorph\1.0.6\ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
SHA256:2be06a2380f8656426b5c610db694bbd75314caf3e9191affcd7942721398ed7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.sf.ezmorph:ezmorph:1.0.6  Confidence:Highest

commons-httpclient-3.1.jar

Description:

 The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\commons-httpclient\commons-httpclient\3.1\commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:httpclient:3.1  Confidence:Low  
  • cpe: cpe:/a:apache:commons-httpclient:3.1  Confidence:Low  
  • maven: commons-httpclient:commons-httpclient:3.1  Confidence:Highest

args4j-2.0.31.jar

Description:

 args4j : Java command line arguments parser

License:

http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\args4j\args4j\2.0.31\args4j-2.0.31.jar
MD5: c71452dc7aee7e24fc88ceb6d9601329
SHA1: 6b870d81551ce93c5c776c3046299db8ad6c39d2
SHA256:2d08e1b232e46be8fb6b6596faf48d64be509449ce3799de758d953ba6380e7a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: args4j:args4j:2.0.31  Confidence:Highest

annotation-indexer-1.11.jar

Description:

 
    Creates index of annotations.
  

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\annotation-indexer\1.11\annotation-indexer-1.11.jar
MD5: ccc1ce06c44a27f44112ff36b113762e
SHA1: 74bd5d3eee3e92cd5cccfcf459f3d7214ceb2e1a
SHA256:6da7586ad8dcda09393203441cee9058e37a88c4703b8a36d3a81b98e39932bb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:annotation-indexer:1.11  Confidence:Highest

bytecode-compatibility-transformer-1.8.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\bytecode-compatibility-transformer\1.8\bytecode-compatibility-transformer-1.8.jar
MD5: 49f5ddadbc4db1b1d335ab767820aae0
SHA1: aded88ffe12f1904758397f96f16957e97b88e6e
SHA256:fdc28e643b823211939f59f0b51438289499482c50437abd21aad29b94428810
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.8  Confidence:Low  
  • maven: org.jenkins-ci:bytecode-compatibility-transformer:1.8  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

asm5-5.0.1.jar

Description:

 ObjectWeb ASM package-renamed to isolate incompatibilities between major versions

License:

BSD License: http://asm.ow2.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\asm5\5.0.1\asm5-5.0.1.jar
MD5: 3fa9de5c3c3bb6847366d777b9e6c518
SHA1: 71ab0620a41ed37f626b96d80c2a7c58165550df
SHA256:442c6c06d4dfac1afba4ddd31eec54d3dcabc78a37d70baa81455d41b84fb967
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:asm5:5.0.1  Confidence:Highest

task-reactor-1.4.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\task-reactor\1.4\task-reactor-1.4.jar
MD5: e102edb5dabfc6194eec1df6b6ee1baf
SHA1: b89e501a3bc64fe9f28cb91efe75ed8745974ef8
SHA256:2d9ea1795e96735b7c0b2124c181ac10e71705f7ea1e28038a7244b0ced15841
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:task-reactor:1.4  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.4  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

localizer-1.23.jar

File Path: C:\Users\Queue\.m2\repository\org\jvnet\localizer\localizer\1.23\localizer-1.23.jar
MD5: e89b90c473074e8f08d834bc1f782b28
SHA1: ad264334d8a581949e49146a65e4df927274dbfa
SHA256:feca42f5b40de346c1780df00fee4a5951f34200d43d013f907a516ca8c8183a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.localizer:localizer:1.23  Confidence:Highest

antlr-2.7.6.jar

File Path: C:\Users\Queue\.m2\repository\antlr\antlr\2.7.6\antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
SHA256:df74f330d36526ff9e717731fd855152fcff51618f0b5785d0049022f89d568b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: antlr:antlr:2.7.6  Confidence:Highest

xstream-1.4.7-jenkins-1.jar

Description:

 XStream is a serialization library from Java objects to XML and back.

License:

http://xstream.codehaus.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\xstream\1.4.7-jenkins-1\xstream-1.4.7-jenkins-1.jar
MD5: 6b27008bd6cb5f4cc430e219d785313a
SHA1: 161ed1603117c2d37b864f81a0d62f36cf7e958a
SHA256:405fdd4c2e594756d2e7948acbef3b1cbe13fb024dc441a2fc8d492deb48cec3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:xstream_project:xstream:1.4.7  Confidence:Low  
  • maven: org.jvnet.hudson:xstream:1.4.7-jenkins-1  Confidence:Highest

CVE-2016-3674  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Vulnerable Software & Versions:

CVE-2017-7957  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Vulnerable Software & Versions:

jfreechart-1.0.9.jar

Description:

 
        JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently
        supports bar charts, pie charts, line charts, XY-plots and time series plots.
    

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: C:\Users\Queue\.m2\repository\jfree\jfreechart\1.0.9\jfreechart-1.0.9.jar
MD5: e40fdcd9dcf52833f3a9b2e63f1f438c
SHA1: 6e522aa603bf7ac69da59edcf519b335490e93a6
SHA256:4a2a1eb6d188a43e1e97bb7c7d204a5bdd1aaec0d82203cf1b1156ff697d7f8e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jfree:jfreechart:1.0.9  Confidence:Highest

jcommon-1.0.12.jar

Description:

 
        JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org,
        including JFreeChart and JFreeReport.
    

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: C:\Users\Queue\.m2\repository\jfree\jcommon\1.0.12\jcommon-1.0.12.jar
MD5: 99bc885bb5c68be1c09ed23c997df5ac
SHA1: 737f02607d2f45bb1a589a85c63b4cd907e5e634
SHA256:34dd367ad34ae0baa5d5430fc9a13db1d12d66e29477cbb453ca92f5084a4e7b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jfree:jcommon:1.0.12  Confidence:Highest

ant-1.8.4.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\ant\ant\1.8.4\ant-1.8.4.jar
MD5: 067d9414ebe343fd1b229cfe9c928a84
SHA1: 8acff3fb57e74bc062d4675d9dcfaffa0d524972
SHA256:ffc5818ca8cde2ed111d9d6c6763d301429ad9897582f0968b80c1a136e9dba4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.ant:ant:1.8.4  Confidence:Highest

ant-launcher-1.8.4.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\ant\ant-launcher\1.8.4\ant-launcher-1.8.4.jar
MD5: 77ee843cb323c5ce1a244a16438ea9da
SHA1: 22f1e0c32a2bfc8edd45520db176bac98cebbbfe
SHA256:4394951e8d8533732bf5745f4e7bffa721228c7d5475a2d5f143cb35ed9c2941
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.ant:ant-launcher:1.8.4  Confidence:Highest

commons-io-2.4.jar

Description:

 
The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-io\commons-io\2.4\commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-io:commons-io:2.4  Confidence:Highest

commons-digester-2.1.jar

Description:

 
    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-digester\commons-digester\2.1\commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-digester:commons-digester:2.1  Confidence:Highest

commons-compress-1.10.jar

Description:

 
Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-compress\1.10\commons-compress-1.10.jar
MD5: c1169464be26d435f268f03918b6baf7
SHA1: 5eeb27c57eece1faf2d837868aeccc94d84dcc9a
SHA256:807c95293e41e8159477442077da6d0962a7f486d4b980be61f60a8db9cb290f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:commons-compress:1.10  Confidence:Low  
  • maven: org.apache.commons:commons-compress:1.10  Confidence:Highest

mail-1.4.4.jar

Description:

 JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\mail\mail\1.4.4\mail-1.4.4.jar
MD5: f30453ae9ee252c802d349009742065f
SHA1: b907ef0a02ff6e809392b1e7149198497fcc8e49
SHA256:e02be269ddd475651248889892f5dcaebb9058d5d3afef2c5b5dc391f2471528
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

activation-1.1.1-hudson-1.jar

Description:

 Java Activation Framework with patch

File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\activation\1.1.1-hudson-1\activation-1.1.1-hudson-1.jar
MD5: 8adfc4a9b8c3b2f7beae53e5ce8fdb73
SHA1: 7957d80444223277f84676aabd5b0421b65888c4
SHA256:aaa496cc667efb3f4c5e8960390ec5d3f8964a58970a3cb7ebe462054690e254
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:activation:1.1.1-hudson-1  Confidence:Highest

jaxen-1.1-beta-11.jar

Description:

 Jaxen is a universal Java XPath engine.

File Path: C:\Users\Queue\.m2\repository\jaxen\jaxen\1.1-beta-11\jaxen-1.1-beta-11.jar
MD5: 6b0c65b0db4e60c6e5daadf65cac1192
SHA1: 81e32b8bafcc778e5deea4e784670299f1c26b96
SHA256:199d144dda603c8f936df60421c43f2707676be1163d4330163f36731944a304
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jaxen:jaxen:1.1-beta-11  Confidence:Highest

commons-jelly-tags-fmt-1.0.jar

File Path: C:\Users\Queue\.m2\repository\commons-jelly\commons-jelly-tags-fmt\1.0\commons-jelly-tags-fmt-1.0.jar
MD5: ff110c950c9fcf08e98a325f6708ba78
SHA1: 2107da38fdd287ab78a4fa65c1300b5ad9999274
SHA256:509e873164cf7c5b62b7a5285340ac0f59d92bbd861b78c91322a27e91f24638
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-jelly:commons-jelly-tags-fmt:1.0  Confidence:Highest
  • cpe: cpe:/a:apache:commons-jelly:1.0.1.rc6  Confidence:Low  

CVE-2017-12621  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Vulnerable Software & Versions:

commons-jelly-tags-xml-1.1.jar

Description:

 The Jelly XML Tag Library

File Path: C:\Users\Queue\.m2\repository\commons-jelly\commons-jelly-tags-xml\1.1\commons-jelly-tags-xml-1.1.jar
MD5: 249d2afad4d419a8139549ca2ab8a05a
SHA1: cc0efc2ae0ff81ef7737afc786a0ce16a8540efc
SHA256:416c0eb9a03cb6fe212982e133d0ddcbf204946e2c0006855f25f494f50646d8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:commons-jelly:1.1  Confidence:Low  
  • maven: commons-jelly:commons-jelly-tags-xml:1.1  Confidence:Highest

commons-jelly-tags-define-1.0.1-hudson-20071021.jar

Description:

 The Jelly Define Tag Library

File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\commons-jelly-tags-define\1.0.1-hudson-20071021\commons-jelly-tags-define-1.0.1-hudson-20071021.jar
MD5: 1d6763fb2a89c9fe54f75e69ded222f5
SHA1: 8b952d0e504ee505d234853119e5648441894234
SHA256:943b68fe8ff055234b5799579e6dcc70ffa8e94a3f4c8f2fd10f77ced98b2c0d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:commons-jelly-tags-define:1.0.1-hudson-20071021  Confidence:Highest
  • cpe: cpe:/a:apache:commons-jelly:1.0.1.rc6  Confidence:Low  

CVE-2017-12621  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Vulnerable Software & Versions:

commons-jexl-1.1-jenkins-20111212.jar

Description:

 Jexl is an implementation of the JSTL Expression Language with extensions.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\commons-jexl\1.1-jenkins-20111212\commons-jexl-1.1-jenkins-20111212.jar
MD5: 6ac1813e9e680f10aa01e5bfa06a7f22
SHA1: 0a990a77bea8c5a400d58a6f5d98122236300f7d
SHA256:3d1e5c11e50862187b13a267afaf14257276c4e311f35305630b3dd690e73eba
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:commons-jexl:1.1-jenkins-20111212  Confidence:Highest

acegi-security-1.0.7.jar

File Path: C:\Users\Queue\.m2\repository\org\acegisecurity\acegi-security\1.0.7\acegi-security-1.0.7.jar
MD5: 355696bb2e3d3c9892543396271d4d79
SHA1: 72901120d299e0c6ed2f6a23dd37f9186eeb8cc3
SHA256:c59e0363a1f9d262da3bc6ac5a37d661372e14d8cb4f5afca734c815e7529a0b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2010-3700  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

Vulnerable Software & Versions: (show all)

spring-dao-1.2.9.jar

Description:

 Spring Framework: DAO

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-dao\1.2.9\spring-dao-1.2.9.jar
MD5: 2396ea4e1942a5fc7950cd4478120ec7
SHA1: 6f90baf86fc833cac3c677a8f35d3333ed86baea
SHA256:4b1410d6d81a6cea35a6152e257262874d87a66634fe1fc3dd281a3a5e9d46de
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:1.2.9  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:1.2.9  Confidence:Low  
  • cpe: cpe:/a:pivotal:spring_framework:1.2.9  Confidence:Low  
  • maven: org.springframework:spring-dao:1.2.9  Confidence:Highest
  • cpe: cpe:/a:vmware:springsource_spring_framework:1.2.9  Confidence:Low  

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

oro-2.0.8.jar

File Path: C:\Users\Queue\.m2\repository\oro\oro\2.0.8\oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: oro:oro:2.0.8  Confidence:Highest

groovy-all-2.4.7.jar

Description:

 Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\groovy\groovy-all\2.4.7\groovy-all-2.4.7.jar
MD5: 5ca6d56c892f665eda895de4784dd8e5
SHA1: c5371aaa20bcdca1175d9477fc0811f4fd99b68a
SHA256:688f42c55454bf48ff0f293cc6320ed703c0c861c8e5d903c35d3b3f85b0029e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

jline-2.12.jar

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar
MD5: 391c352dda90e0e16aa129286d72f2c7
SHA1: ce9062c6a125e0f9ad766032573c041ae8ecc986
SHA256:d34b45c8ca4359c65ae61e406339022e4731c739bc3448ce3999a60440baaa72
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jline:jline:2.12  Confidence:Highest

spring-aop-2.5.6.SEC03.jar

Description:

 Spring Framework: AOP

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-aop\2.5.6.SEC03\spring-aop-2.5.6.SEC03.jar
MD5: 234953c77588fcd130a9403700bf93b7
SHA1: 6468695557500723a18630b712ce112ec58827c1
SHA256:0eeb6610b4bcc62ceba4acc73869552044c913d995d8d6fdb31a3c45fc42af54
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:2.5.6.sec03  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:2.5.6.sec03  Confidence:Low  
  • cpe: cpe:/a:pivotal:spring_framework:2.5.6.sec03  Confidence:Low  
  • maven: org.springframework:spring-aop:2.5.6.SEC03  Confidence:Highest
  • cpe: cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03  Confidence:Low  

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

xpp3-1.1.4c.jar

Description:

 MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.

License:

Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: C:\Users\Queue\.m2\repository\xpp3\xpp3\1.1.4c\xpp3-1.1.4c.jar
MD5: 6e3c39f391e4994888b7d0030f775804
SHA1: 9b988ea84b9e4e9f1874e390ce099b8ac12cfff5
SHA256:0341395a481bb887803957145a6a37879853dd625e9244c2ea2509d9bb7531b9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: xpp3:xpp3:1.1.4c  Confidence:Highest

jstl-1.1.0.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\jstl\1.1.0\jstl-1.1.0.jar
MD5: ecc36a63c16bb2195198d24f2b803804
SHA1: bca201e52333629c59e459e874e5ecd8f9899e15
SHA256:adfc9894216d74165da7c808db5948b13d7e8c3f540eddc8217e9f2b63e8dfa4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.servlet:jstl:1.1.0  Confidence:Highest

txw2-20110809.jar

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\txw2\txw2\20110809\txw2-20110809.jar
MD5: 67aa3d67701de0b808ff606e1756c8bb
SHA1: 46afa3f3c468680875adb8f2a26086a126c89902
SHA256:3c535fd9d38ce20b8c9031086710f0e6f3175e1a638fa088b3de43e7193211d7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.sun.xml.txw2:txw2:20110809  Confidence:Highest

stax-api-1.0-2.jar

Description:

 
    StAX is a standard XML processing API that allows you to stream XML data from and to your application.
  

License:

GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: C:\Users\Queue\.m2\repository\javax\xml\stream\stax-api\1.0-2\stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.xml.stream:stax-api:1.0-2  Confidence:Highest

relaxngDatatype-20020414.jar

File Path: C:\Users\Queue\.m2\repository\relaxngDatatype\relaxngDatatype\20020414\relaxngDatatype-20020414.jar
MD5: fd667fbdaf3190bdd8aee4e8e2d12d5c
SHA1: de7952cecd05b65e0e4370cc93fc03035175eef5
SHA256:2a2563efc911f431250214220570fac8ec3f43c3ec1e47328cee78062f81b218
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: relaxngDatatype:relaxngDatatype:20020414  Confidence:Highest

commons-collections-3.2.1.jar

Description:

 Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar
MD5: 13bc641afd7fd95e09b260f69c1e4c91
SHA1: 761ea405b9b37ced573d2df0d1e3a4e0f9edc668
SHA256:87363a4c94eaabeefd8b930cb059f66b64c9f7d632862f23de3012da7660047b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2015-6420  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerable Software & Versions: (show all)

CVE-2017-15708  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Vulnerable Software & Versions: (show all)

winp-1.22.jar

Description:

 Kill process tree in Windows

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.22\winp-1.22.jar
MD5: 1d7a3ec1bd370a57cc3a993d7d00501a
SHA1: ce9975a31fcab05061c03286555a032bf8d3a3aa
SHA256:6929388c4096c9be67f0112abb81f11123a8505f63df826e7d1abfe6de559d00
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.winp:winp:1.22  Confidence:Highest

memory-monitor-1.9.jar

Description:

 Code for monitoring memory/swap usage

License:

MIT: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\memory-monitor\1.9\memory-monitor-1.9.jar
MD5: 69b97d9079f500cfaadd5bc8659dff68
SHA1: 1935bfb46474e3043ee2310a9bb790d42dde2ed7
SHA256:a57d4df8227dce7605be1514ba385859847bbc172dcade1e3439dc9b5e92399a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:memory-monitor:1.9  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.9  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

wstx-asl-3.2.9.jar

Description:

 Woodstox is a high-performance XML processor that implements Stax (JSR-173) API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\woodstox\wstx-asl\3.2.9\wstx-asl-3.2.9.jar
MD5: 8cb7d88faca2da5a3f9a3c50eee1fc3b
SHA1: c82b6e8f225bb799540e558b10ee24d268035597
SHA256:fcfe0265682f49b40a81073959c7fc6d57efda8c86ccf3bc6700d884411b1271
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.codehaus.woodstox:wstx-asl:3.2.9  Confidence:Highest

stax-api-1.0.1.jar

Description:

 StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\stax\stax-api\1.0.1\stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: stax:stax-api:1.0.1  Confidence:Highest

jmdns-3.4.0-jenkins-3.jar

Description:

 
    Multi-cast DNS implementation for Java.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\jmdns\3.4.0-jenkins-3\jmdns-3.4.0-jenkins-3.jar
MD5: d01f9778ef41fe79ad93ea57c27d0573
SHA1: 264d0c402b48c365f34d072b864ed57f25e92e63
SHA256:a1fe04e60bdbe39271607ef926374028e7779d60134b23ecb2e0c7064adbd310
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:jmdns:3.4.0-jenkins-3  Confidence:Highest

jna-4.2.1.jar

Description:

 Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar
MD5: 8d536ddbe44d1500d262960891911f91
SHA1: fcc5b10cb812c41b00708e7b57baccc3aee5567c
SHA256:edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.java.dev.jna:jna:4.2.1  Confidence:Highest

akuma-1.10.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\akuma\1.10\akuma-1.10.jar
MD5: 0e6b6d5177056308682c9e8dfec7232a
SHA1: 0e2c6a1f79f17e3fab13332ab8e9b9016eeab0b6
SHA256:8b06426d76aea70f7a6f3161f1522852152cbb692ca0a8b02860d705a908b61d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:akuma:1.10  Confidence:Highest

libpam4j-1.8.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\libpam4j\1.8\libpam4j-1.8.jar
MD5: a8e0d0c46b9a1b74f7128ed520001dcf
SHA1: 548d4a1177adad8242fe03a6930c335669d669ad
SHA256:9ea7647850da016dfe31f65b86ffba2792b0631816f7b4d96706bbc57a02b88f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2017-12197  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.

Vulnerable Software & Versions:

libzfs-0.5.jar

Description:

 libzfs for Java

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE: http://www.opensource.org/licenses/cddl1.txt
File Path: C:\Users\Queue\.m2\repository\org\jvnet\libzfs\libzfs\0.5\libzfs-0.5.jar
MD5: bfcf793719ed18bf35ab0d2ffb1549ee
SHA1: 664ce46c0ce5e4ea1199a83d3971ee6c1e308815
SHA256:3d07a47648aef46c6dfd597405f3296d7e78c6fc1fabaf301ce08c21f3bfc5fe
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.libzfs:libzfs:0.5  Confidence:Highest

embedded_su4j-1.1.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\com\sun\solaris\embedded_su4j\1.1\embedded_su4j-1.1.jar
MD5: 754ab27a4bc4f2409d6cd9652f3ae3e0
SHA1: 9404130cc4e60670429f1ab8dbf94d669012725d
SHA256:5ff5075959efd9c55296c8cfc6122ca3bdfd58cdc350ff12ff2659b260f7803e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.sun.solaris:embedded_su4j:1.1  Confidence:Highest

sezpoz-1.11.jar

File Path: C:\Users\Queue\.m2\repository\net\java\sezpoz\sezpoz\1.11\sezpoz-1.11.jar
MD5: 6ef113250efe61e77a950f64a05e6f75
SHA1: f3f63d07b3e6157fc4977484f6b53bc9dc81153f
SHA256:11640d029dd5aafd0c7cf67c33317229fe545a07774bd4a20491bb8d89eb2180
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.java.sezpoz:sezpoz:1.11  Confidence:Highest

j-interop-2.0.6-kohsuke-1.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\jinterop\j-interop\2.0.6-kohsuke-1\j-interop-2.0.6-kohsuke-1.jar
MD5: cf88331453c9050f0b2f058ec0baaeaa
SHA1: b2e243227608c1424ab0084564dc71659d273007
SHA256:994401c68a150bffe65718da044e57d1ba98e6266b7f0218b2968a14774fa477
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.jinterop:j-interop:2.0.6-kohsuke-1  Confidence:Highest

j-interopdeps-2.0.6-kohsuke-1.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\jinterop\j-interopdeps\2.0.6-kohsuke-1\j-interopdeps-2.0.6-kohsuke-1.jar
MD5: a17335569fd2765c000e9d76116b0da9
SHA1: 778400517a3419ce8c361498c194036534851736
SHA256:b091c448eb7e14e44d62c7869bace267210c20d387c49f61f68a1d068abf3ea9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.jinterop:j-interopdeps:2.0.6-kohsuke-1  Confidence:Highest

jcifs-1.2.19.jar

Description:

 JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java

License:

GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
File Path: C:\Users\Queue\.m2\repository\org\samba\jcifs\jcifs\1.2.19\jcifs-1.2.19.jar
MD5: bcaefdc4b6521ea530ec129811f363c8
SHA1: 333384030132b83c87943b5a03c8b4b307738ffa
SHA256:12a68e5ac15ae74f917bb59b13cd7f98da0c3e3866ca75f5995557903b80c782
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.samba.jcifs:jcifs:1.2.19  Confidence:Highest

robust-http-client-1.2.jar

Description:

 InputStream that hides automatic download retry

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\robust-http-client\robust-http-client\1.2\robust-http-client-1.2.jar
MD5: 33f540df15bd4a3324654a7a902207a2
SHA1: dee9fda92ad39a94a77ec6cf88300d4dd6db8a4d
SHA256:015fc9ea5bbf8da691aabd5ce14429627734dcaef9d8513834dd8885f2b79df1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.robust-http-client:robust-http-client:1.2  Confidence:Highest

symbol-annotation-1.1.jar

License:

MIT License: http://opensource.org/licenses/MIT
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\symbol-annotation\1.1\symbol-annotation-1.1.jar
MD5: aa7a9f9142f670bbcad1b906bca7c849
SHA1: 14fe06e7287a8aff81434a2fe8226744183fe955
SHA256:88ffb7b93d2fcff190cdb7fd56a4dbe933eb78ea63cff0aa12f92974aa527715
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1  Confidence:Low  
  • maven: org.jenkins-ci:symbol-annotation:1.1  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

commons-codec-1.8.jar

Description:

 
     The codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-codec\commons-codec\1.8\commons-codec-1.8.jar
MD5: b87aa66fe75685c82d082e750ab51b2e
SHA1: af3be3f74d25fc5163b54f56a0d394b462dafafd
SHA256:599b40b94b4a39c2550a4b5106df071aa03199b71ad5423207e2e7356aa4f8bb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-codec:commons-codec:1.8  Confidence:Highest

access-modifier-annotation-1.4.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\access-modifier-annotation\1.4\access-modifier-annotation-1.4.jar
MD5: 1afe6492b5fdb08b7bace3b4aaa6f4d0
SHA1: 734bb6a59541a42d1e8948cdf27f0cc1bf56d714
SHA256:b8e14a0503dafc5fa3dacf310312e6b99439b5bba32c74e24a68cc42394b051e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:access-modifier-annotation:1.4  Confidence:Highest

commons-fileupload-1.3.1-jenkins-1.jar

Description:

 
    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-fileupload\commons-fileupload\1.3.1-jenkins-1\commons-fileupload-1.3.1-jenkins-1.jar
MD5: ca28a94467b2dd8e9448b4da692e0f7c
SHA1: 5d0270b78ad9d5344ce4a8e35482ad8802526aca
SHA256:bd0abd0e00af2e312f4973ece25586a18a4b356e77f96dbe333ae2dd164af6f1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2016-1000031  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Vulnerable Software & Versions:

CVE-2016-3092  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

jbcrypt-0.3m.jar

Description:

 
        jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing code, as described in A Future-Adaptable Password Scheme by Niels Provos and David Mazières, by Damien Miller.
    

License:

ISC/BSD License
File Path: C:\Users\Queue\.m2\repository\org\mindrot\jbcrypt\0.3m\jbcrypt-0.3m.jar
MD5: 5cc2288708d15dd43bc8681f5b5541b0
SHA1: fe2d9c5f23767d681a7e38fc8986b812400ec583
SHA256:c0717079f4fe18f72f36ad1ab15a2afa63c6544fee4b9ac2128851330b5e1031
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:mindrot:jbcrypt:0.3m  Confidence:Low  
  • maven: org.mindrot:jbcrypt:0.3m  Confidence:Highest

guava-11.0.1.jar

Description:

 
    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    This project is a complete packaging of all the Guava libraries
    into a single jar.  Individual portions of Guava can be used
    by downloading the appropriate module and its dependencies.

    Guava (complete) has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

File Path: C:\Users\Queue\.m2\repository\com\google\guava\guava\11.0.1\guava-11.0.1.jar
MD5: 69a3d06554ebc3027c9432509a67ede2
SHA1: 57b40a943725d43610c898ac0169adf1b2d55742
SHA256:aa7cef9d2ba0110a2db7be0fb6e679cd71f6a26fc3ba9da7715f41d3300def1d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2018-10237  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Vulnerable Software & Versions: (show all)

jzlib-1.1.3-kohsuke-1.jar

Description:

 JZlib is a re-implementation of zlib in pure Java

License:

BSD: http://www.jcraft.com/jzlib/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\com\jcraft\jzlib\1.1.3-kohsuke-1\jzlib-1.1.3-kohsuke-1.jar
MD5: 7f94e1243c83cd90ea28e4bf0cc61eaa
SHA1: af5d27e1de29df05db95da5d76b546d075bc1bc5
SHA256:f38267efb47d15c7d39226ac6907eb5e5413f9139af9147701458dbd01d36e7e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jcraft:jzlib:1.1.3  Confidence:Low  
  • maven: com.jcraft:jzlib:1.1.3-kohsuke-1  Confidence:Highest

commons-cli-1.2.jar

Description:

 
    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-cli\commons-cli\1.2\commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-cli:commons-cli:1.2  Confidence:Highest

commons-math3-3.1.1.jar

Description:

 The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-math3\3.1.1\commons-math3-3.1.1.jar
MD5: 505ece0d2261b037101e6c4bdf541ca7
SHA1: 6719d757a98ff24a83d9d727bef9cec83f59b6e1
SHA256:a07e39d31c46032879f0a48ae1bd0142b17dd67664c008b50216e9891f346c54
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.commons:commons-math3:3.1.1  Confidence:Highest

xmlenc-0.52.jar

Description:

 xmlenc Library

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\xmlenc\xmlenc\0.52\xmlenc-0.52.jar
MD5: c962b6bc3c8de46795b0ed94851fa9c7
SHA1: d82554efbe65906d83b3d97bd7509289e9db561a
SHA256:282ae185fc2ff27da7714af9962897c09cfefafb88072219c4a2f9c73616c026
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: xmlenc:xmlenc:0.52  Confidence:Highest

httpclient-4.5.2.jar

Description:

 
   Apache HttpComponents Client
  

File Path: C:\Users\Queue\.m2\repository\org\apache\httpcomponents\httpclient\4.5.2\httpclient-4.5.2.jar
MD5: e0a45df625cb96b69505e59bb25a0189
SHA1: 733db77aa8d9b2d68015189df76ab06304406e50
SHA256:0dffc621400d6c632f55787d996b8aeca36b30746a716e079a985f24d8074057
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:httpclient:4.5.2  Confidence:Low  
  • maven: org.apache.httpcomponents:httpclient:4.5.2  Confidence:Highest

httpcore-4.4.4.jar

Description:

 
   Apache HttpComponents Core (blocking I/O)
  

File Path: C:\Users\Queue\.m2\repository\org\apache\httpcomponents\httpcore\4.4.4\httpcore-4.4.4.jar
MD5: e7776f2b03a4c62d691a90d3c68c93c0
SHA1: b31526a230871fbe285fbcbe2813f9c0839ae9b0
SHA256:f7bc09dc8a7003822d109634ffd3845d579d12e725ae54673e323a7ce7f5e325
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.httpcomponents:httpcore:4.4.4  Confidence:Highest

commons-net-3.1.jar

Description:

 
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-net\commons-net\3.1\commons-net-3.1.jar
MD5: 23c94d51e72f341fb412d6a015e16313
SHA1: 2298164a7c2484406f2aa5ac85b205d39019896f
SHA256:34a58d6d80a50748307e674ec27b4411e6536fd12e78bec428eb2ee49a123007
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-net:commons-net:3.1  Confidence:Highest

servlet-api-2.5.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\servlet-api\2.5\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.servlet:servlet-api:2.5  Confidence:Highest

jetty-6.1.26.jar

Description:

 Jetty server core

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\mortbay\jetty\jetty\6.1.26\jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256:21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:mortbay_jetty:jetty:6.1.26  Confidence:Low  
  • maven: org.mortbay.jetty:jetty:6.1.26  Confidence:Highest
  • cpe: cpe:/a:mortbay:jetty:6.1.26  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:6.1.26  Confidence:Low  

CVE-2011-4461  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Vulnerable Software & Versions: (show all)

jsp-api-2.1.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\jsp\jsp-api\2.1\jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Project/Scope:DependencyCheck:runtime

Identifiers

  • maven: javax.servlet.jsp:jsp-api:2.1  Confidence:Highest

jersey-core-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-core\1.19\jersey-core-1.19.jar
MD5: cdb4aea66737c70300be021a8ea50986
SHA1: 9a0619e2c514a79b610f17cadaae619c0a08d6a6
SHA256:5d1841b925fad033c836d911573457c96608cdd99c30c084f61b091aff8aa698
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-core:1.19  Confidence:Highest

jsr311-api-1.1.1.jar

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php
File Path: C:\Users\Queue\.m2\repository\javax\ws\rs\jsr311-api\1.1.1\jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.ws.rs:jsr311-api:1.1.1  Confidence:Highest

jersey-servlet-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-servlet\1.19\jersey-servlet-1.19.jar
MD5: 49ff74d5db51842561630d6bdf013d45
SHA1: 2f19f1f7096d0fe3e09ae5698e4427114c23ad03
SHA256:e7c086c51aa6be9e260ea6574d4608e7c252648a1dec5bc15f096a8626099709
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-servlet:1.19  Confidence:Highest

jersey-json-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-json\1.19\jersey-json-1.19.jar
MD5: 34b0b65ae38159c4d74ffbfc09e467e1
SHA1: 12491ab748d2bee7be96629a749f361154e6705f
SHA256:ffa5388870b68cebd5a93464f0d8e75f325aa7cb179ae069bea0f12d0fb0d534
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-json:1.19  Confidence:Highest

jettison-1.1.jar

Description:

 A StAX implementation for JSON.

File Path: C:\Users\Queue\.m2\repository\org\codehaus\jettison\jettison\1.1\jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.jettison:jettison:1.1  Confidence:Highest

jackson-xc-1.9.2.jar

Description:

 Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\jackson\jackson-xc\1.9.2\jackson-xc-1.9.2.jar
MD5: d9d4d69e16e45595f0542eb6f2cf1117
SHA1: 437c991a8eb2c8b69ef1dba2eba27fccb9b98448
SHA256:97ddd164678c2705da7b22e9db3110c416b39cdfc50f385d23b586551d76a195
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:1.9.2  Confidence:Low  
  • maven: org.codehaus.jackson:jackson-xc:1.9.2  Confidence:Highest

jersey-server-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-server\1.19\jersey-server-1.19.jar
MD5: 20d340d5e608d4b2d3701d6b411a593b
SHA1: ee2ff839a65097eb12004edd909bcb4a97a2832c
SHA256:433248a5c9990a59f8f442f10a8090ef25dadfe1a0d492efd4ce1e35b24d3e1c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-server:1.19  Confidence:Highest

log4j-1.2.17.jar

Description:

 Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256:1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:log4j:1.2.17  Confidence:Low  
  • maven: log4j:log4j:1.2.17  Confidence:Highest

jets3t-0.9.0.jar

Description:

 JetS3t is a free, open-source Java toolkit and application suite for Amazon Simple Storage Service (Amazon S3), Amazon CloudFront content delivery network, and Google Storage for Developers.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\net\java\dev\jets3t\jets3t\0.9.0\jets3t-0.9.0.jar
MD5: 22559a7c686b19534707228decc3c6d7
SHA1: 792bc96ee7e57b89f472aa0cb5a31015b9f59c96
SHA256:e89893fc754b252af717d7d14accda946f7dfcfc1e293fd3e04725163d661bd7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.java.dev.jets3t:jets3t:0.9.0  Confidence:Highest

java-xmlbuilder-0.4.jar

Description:

 XML Builder is a utility that creates simple XML documents using relatively sparse Java code

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\com\jamesmurty\utils\java-xmlbuilder\0.4\java-xmlbuilder-0.4.jar
MD5: 0fa474213a6a0282cd9264f6e0dd3658
SHA1: ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf
SHA256:681e53c4ffd59fa12068803b259e3a83d43f07a47c112e748a187dee179eb31f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.jamesmurty.utils:java-xmlbuilder:0.4  Confidence:Highest

commons-configuration-1.6.jar

Description:

 
        Tools to assist in the reading of configuration/preferences files in
        various formats
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-configuration\commons-configuration\1.6\commons-configuration-1.6.jar
MD5: b099d9f9b4b99071cc52b259308df69a
SHA1: 32cadde23955d7681b0d94a2715846d20b425235
SHA256:46b71b9656154f6a16ea4b1dc84026b52a9305f8eff046a2b4655fa1738e5eee
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-configuration:commons-configuration:1.6  Confidence:Highest

commons-beanutils-core-1.8.0.jar

File Path: C:\Users\Queue\.m2\repository\commons-beanutils\commons-beanutils-core\1.8.0\commons-beanutils-core-1.8.0.jar
MD5: a33ba25ae637909a97a60ff1d1b38857
SHA1: 175dc721f87e4bc5cc0573f990e28c3cf9117508
SHA256:9038c7ddc61d3d8089eb5a52a24b430a202617d57d2d344a93b68e4eafefefde
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-beanutils:commons-beanutils-core:1.8.0  Confidence:Highest
  • cpe: cpe:/a:apache:commons_beanutils:1.8.0  Confidence:Low  

CVE-2014-0114  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

jackson-core-asl-1.9.13.jar

Description:

 Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\jackson\jackson-core-asl\1.9.13\jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256:440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:1.9.13  Confidence:Low  
  • maven: org.codehaus.jackson:jackson-core-asl:1.9.13  Confidence:Highest

avro-1.7.4.jar

Description:

 Avro core components

File Path: C:\Users\Queue\.m2\repository\org\apache\avro\avro\1.7.4\avro-1.7.4.jar
MD5: de02dfb1f5880c0b422f215ffcaa3379
SHA1: 416e7030879814f52845b97f04bb50ecd1cef372
SHA256:a01d26e9a5ed0754e8c88dbb373fba896c57df0a0c424185767a3857855bb222
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.avro:avro:1.7.4  Confidence:Highest

paranamer-2.3.jar

File Path: C:\Users\Queue\.m2\repository\com\thoughtworks\paranamer\paranamer\2.3\paranamer-2.3.jar
MD5: e3060bebfe449abeb277e77c4c3388cb
SHA1: 4a85963a752c0a2f715c3924bfc686865e7e1bc6
SHA256:e93f50ae4d0de11080677f44ab268691266fed2b3ff7bc6fd97636febae7d8fe
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.thoughtworks.paranamer:paranamer:2.3  Confidence:Highest

re2j-1.0.jar

License:

The Go license: https://golang.org/LICENSE
File Path: C:\Users\Queue\.m2\repository\com\google\re2j\re2j\1.0\re2j-1.0.jar
MD5: f5a24a5ce8f4b3d910be3b264fcbd1cb
SHA1: d24ac5f945b832d93a55343cd1645b1ba3eca7c3
SHA256:5406ddfec247c0db50a11b2fe6f4d881980fc3b2c3d03fce7b258c4b014be3e0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.re2j:re2j:1.0  Confidence:Highest

gson-2.2.4.jar

Description:

 Google Gson library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar
MD5: 2f54fc24807a4cad7297012dd8cebf3d
SHA1: a60a5e993c98c864010053cb901b7eab25306568
SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.gson:gson:2.2.4  Confidence:Highest

hadoop-auth-3.0.0-alpha1.jar

Description:

 Apache Hadoop Auth - Java HTTP SPNEGO

File Path: C:\Users\Queue\.m2\repository\org\apache\hadoop\hadoop-auth\3.0.0-alpha1\hadoop-auth-3.0.0-alpha1.jar
MD5: 2652d97a539aca932935b5c633126659
SHA1: b18efdb5fa7ad10f325061e44dcdb967575e44ca
SHA256:1d7d7c8fb109178234b955a01fc60338634b3cbebd5291af53b4288cd57c0204
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2017-15713  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

Vulnerable Software & Versions: (show all)

CVE-2017-3166  

Severity:Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Vulnerable Software & Versions: (show all)

CVE-2017-7669  

Severity:High
CVSS Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

Vulnerable Software & Versions: (show all)

nimbus-jose-jwt-3.9.jar

Description:

 
        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\nimbusds\nimbus-jose-jwt\3.9\nimbus-jose-jwt-3.9.jar
MD5: 2ec29f2a200e7b4ceb4c2ddacf8ae8cd
SHA1: db91ef101bb59af08371bfc8e39fa83423f20954
SHA256:54367ee9acd99220740615e39276a183feb439e81f9f9829ec63bdaa4025c8fb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2017-12972  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Vulnerable Software & Versions: (show all)

CVE-2017-12973  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

Vulnerable Software & Versions: (show all)

CVE-2017-12974  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Vulnerable Software & Versions: (show all)

json-smart-1.1.1.jar

Description:

 
    JSON (JavaScript Object Notation) is a lightweight data-interchange format.
    It is easy for humans to read and write. It is easy for machines to parse and generate.
    It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
    - December 1999. JSON is a text format that is completely language independent but uses
    conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
    Java, JavaScript, Perl, Python, and many others.
    These properties make JSON an ideal data-interchange language.
	

File Path: C:\Users\Queue\.m2\repository\net\minidev\json-smart\1.1.1\json-smart-1.1.1.jar
MD5: c382c9109020d001b96329c2057ba933
SHA1: 24a2f903d25e004de30ac602c5b47f2d4e420a59
SHA256:cebda25c3191aa441673c43d7a5a9567aa5d86a10101ae915a885c90bcee8771
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.minidev:json-smart:1.1.1  Confidence:Highest

curator-framework-2.7.1.jar

Description:

 High-level API that greatly simplifies using ZooKeeper.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-framework\2.7.1\curator-framework-2.7.1.jar
MD5: 35bff30d2a79a8b0731269604b1327ee
SHA1: 8c7b1eeb78e43bb91ea737111ba3dec0512be876
SHA256:a65e3f515b022d84d86c553c99216e384bc82d1de51b5a32b10f33314ad81ceb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:zookeeper:2.7.1  Confidence:Low  
  • maven: org.apache.curator:curator-framework:2.7.1  Confidence:Highest

CVE-2016-5017  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

Vulnerable Software & Versions: (show all)

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

jsch-0.1.51.jar

Description:

 JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\com\jcraft\jsch\0.1.51\jsch-0.1.51.jar
MD5: 6f94a6d5dab69dcb0a75350382223af6
SHA1: 6ceee2696b07cc320d0e1aaea82c7b40768aca0f
SHA256:900d813ce39a20c1a75aa9ca9b0a468f93039a6993a7a9db4a16289dbaeb0596
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:jcraft:jsch:0.1.51  Confidence:Low  
  • maven: com.jcraft:jsch:0.1.51  Confidence:Highest

CVE-2016-5725  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.

Vulnerable Software & Versions:

curator-client-2.7.1.jar

Description:

 Low-level API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-client\2.7.1\curator-client-2.7.1.jar
MD5: 3b43933c18d1dcf15f88db73ee646396
SHA1: a591dfc085db3e9d4d480381cc7e6ae8a26b34af
SHA256:949ac95323bb13b4d9cde33ab1ca73f07a87e6e43cf76629e89fdd74d5b378e4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.curator:curator-client:2.7.1  Confidence:Highest

curator-recipes-2.7.1.jar

Description:

 All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-recipes\2.7.1\curator-recipes-2.7.1.jar
MD5: 156ad30fb9995b072175ae60fbb352a5
SHA1: a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa
SHA256:ce122f137e36268e30082bf1565c51d874ca926801be3ca73b3c0d522b0dfe2c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.curator:curator-recipes:2.7.1  Confidence:Highest

jsr305-3.0.0.jar

Description:

 JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\code\findbugs\jsr305\3.0.0\jsr305-3.0.0.jar
MD5: 195d5db8981fbec5fa18d5df9fad95ed
SHA1: 5871fb60dc68d67da54a663c3fd636a10a532948
SHA256:bec0b24dcb23f9670172724826584802b80ae6cbdaba03bdebdef9327b962f6a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.findbugs:jsr305:3.0.0  Confidence:Highest

htrace-core4-4.0.1-incubating.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.0.1-incubating\htrace-core4-4.0.1-incubating.jar
MD5: 0852b1855f82857d66901501bcb10922
SHA1: f4ef727cb4675788ac66f48e217020acc1690960
SHA256:0abe211fbe122dc18be76fe58fc366052ec1444e7afcbb29cc1bed828710e6de
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:4.0.1  Confidence:Low  
  • maven: org.apache.htrace:htrace-core4:4.0.1-incubating  Confidence:Highest

kerb-simplekdc-1.0.0-RC2.jar

Description:

 Kerb Simple Kdc

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-simplekdc\1.0.0-RC2\kerb-simplekdc-1.0.0-RC2.jar
MD5: e80832fc7caa3975b636e6f26f5298ae
SHA1: 9838ba87c7b89cc8778db0ca9335779667e0fcdb
SHA256:be2e3203338b97b9b5656022adaa41ed83542ce0770a19f8c22275c2e9879237
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-simplekdc:1.0.0-RC2  Confidence:Highest

kerby-config-1.0.0-RC2.jar

Description:

 Kerby config library

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-config\1.0.0-RC2\kerby-config-1.0.0-RC2.jar
MD5: 673810ec37e8e964d73e980ec8352141
SHA1: 63a0fadbda1e871e911ffe03d000b630f4f9f284
SHA256:ac649ee2a22298d6e9d7f69c953e6fbca945b579b86c70b88e5ded61eb6de726
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-config:1.0.0-RC2  Confidence:Highest

kerb-core-1.0.0-RC2.jar

Description:

 Kerby-kerb core facilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-core\1.0.0-RC2\kerb-core-1.0.0-RC2.jar
MD5: b4873b07de3b248e1723005a16db68d5
SHA1: 81e88af44b4a8fd9db75e6f5fdf5b5c3547ac022
SHA256:95d94301a0a82523f3f66e34b4b1f7960c6cacf4dad2f8e825667e398ec9c253
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-core:1.0.0-RC2  Confidence:Highest

kerby-asn1-1.0.0-RC2.jar

Description:

 Kerby ASN1 Project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-asn1\1.0.0-RC2\kerby-asn1-1.0.0-RC2.jar
MD5: 4308db9d2f3680a58f0438bb08bdacc3
SHA1: f9c72709d34b5aa7ffc21b29887a48a16aef9a08
SHA256:06dbf33c54f423afa770c9b6ea0d8eecd1b20077c480506253e629990f0f1c73
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-asn1:1.0.0-RC2  Confidence:Highest

kerby-pkix-1.0.0-RC2.jar

Description:

 Kerby PKIX Project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-pkix\1.0.0-RC2\kerby-pkix-1.0.0-RC2.jar
MD5: be19e70512a5494c78d8b57881620838
SHA1: 3213d43b9b88dbfc678b99f859853adbd5860f2e
SHA256:34da225b0efe8bd9fd0656413234b72a93edaf75b519f1d4563ea0e32da4b823
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-pkix:1.0.0-RC2  Confidence:Highest

kerby-util-1.0.0-RC2.jar

Description:

 Kerby common util, without any 3rd party dependency

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-util\1.0.0-RC2\kerby-util-1.0.0-RC2.jar
MD5: 5d8cf84f425b3c78544838f8e5e1f3f8
SHA1: cc5069ca67d9fe1df3d3ad8d38a50d1d2a1b459e
SHA256:ea1086228ac773ee9b634db7bbb3792bf18e86a80ca1511fc0d623027c685318
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-util:1.0.0-RC2  Confidence:Highest

kerb-client-1.0.0-RC2.jar

Description:

 Kerby-kerb Client

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-client\1.0.0-RC2\kerb-client-1.0.0-RC2.jar
MD5: 5be6823be155d7ec90c7e62c9b99585d
SHA1: 0c04de4e83e1f47b0cb44c1f30f299ed8ef04d12
SHA256:cb50cd69d7333d3d1b7c33fdd0ac8866c96ecdfe425ef1c2ebb57432975c58b7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-client:1.0.0-RC2  Confidence:Highest

kerb-common-1.0.0-RC2.jar

Description:

 Kerby-kerb Common facilities for both client and server

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-common\1.0.0-RC2\kerb-common-1.0.0-RC2.jar
MD5: bd5d7baab013406608b4a576cbd09312
SHA1: c331b713e3f24986cbfea51c1537215e4001fcfd
SHA256:6f48ef8ff28c37548df3bce0eb8b03f3500d7f5bcb24c35ac3c8cbec2a39e4b6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-common:1.0.0-RC2  Confidence:Highest

kerb-util-1.0.0-RC2.jar

Description:

 Kerby-kerb Utilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-util\1.0.0-RC2\kerb-util-1.0.0-RC2.jar
MD5: 18cc6e0a17e8c96cd9fd92500277a906
SHA1: 0f7351a13c029a9125ec074a7f4d7bd53c39633e
SHA256:605523ea7826b7badaec63ab18b86398a246481feb8a081ff028b4fbd5b4657b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-util:1.0.0-RC2  Confidence:Highest

kerb-crypto-1.0.0-RC2.jar

Description:

 Kerby-kerb Crypto facility

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-crypto\1.0.0-RC2\kerb-crypto-1.0.0-RC2.jar
MD5: f56c7560aa04f1e35de365d291c1616c
SHA1: 067c1215417d37f8e4bc307979fc6849be7d5395
SHA256:7460a7f51ce0f2051fad3c8a29d29f8f50e28c413367121cd8b4f5edc3bbc6c8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-crypto:1.0.0-RC2  Confidence:Highest

kerb-server-1.0.0-RC2.jar

Description:

 Kerby-kerb Server

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-server\1.0.0-RC2\kerb-server-1.0.0-RC2.jar
MD5: 70654d4376b13960b564c541fcb0c0d7
SHA1: 219071f841b6e16d53718f7304caad47fdae567d
SHA256:5a0e3a60a71d6cc825ca5c535025b50e644a7dc8437f23331c055ef95ce4d670
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-server:1.0.0-RC2  Confidence:Highest

kerb-identity-1.0.0-RC2.jar

Description:

 Kerby-kerb Identity

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-identity\1.0.0-RC2\kerb-identity-1.0.0-RC2.jar
MD5: 36d42357192de6a88a94d6590ce83562
SHA1: d606d73af5c98cee7ba85325d423f8f634c53415
SHA256:d0bae95b57789a7d3386ad47be822f3d268e7029a13639c7d57034226c9cee6c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-identity:1.0.0-RC2  Confidence:Highest

kerb-admin-1.0.0-RC2.jar

Description:

 Kerby-kerb Admin facilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-admin\1.0.0-RC2\kerb-admin-1.0.0-RC2.jar
MD5: 9fe9f270403d4add215ee3b468f2be85
SHA1: 1997fffee2cd7c71e4fd07faa744346e94190c48
SHA256:ea94b52471e55f02671e0f913ae129757fe399865e2d63e5c16cab99a0028277
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-admin:1.0.0-RC2  Confidence:Highest

javax.servlet-api-3.1.0.jar

Description:

 Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\servlet\javax.servlet-api\3.1.0\javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.servlet:javax.servlet-api:3.1.0  Confidence:Highest

jetty-http-9.4.6.v20180619.jar

Description:

 Jetty module for Jetty :: Http Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-http\9.4.6.v20180619\jetty-http-9.4.6.v20180619.jar
MD5: a0ebf63b8977a23446849e76191dc7d9
SHA1: 9a68659b861071446ad669dbe9591f205692a122
SHA256:53e03543342161dadeff34b8232a5f9370ed8b8f3e321c45ab543bf81df2ca6a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.4.6.v20180619  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.4.6  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-http:9.4.6.v20180619  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

CVE-2018-12538  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-384 Session Fixation

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Software & Versions: (show all)

jetty-io-9.4.6.v20180619.jar

Description:

 Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-io\9.4.6.v20180619\jetty-io-9.4.6.v20180619.jar
MD5: aa381592e3d4b5a962defe07b778e840
SHA1: 9e8d00237cab794dcc786d7d64ce1e54943cbdfb
SHA256:6d26594eb67eabf918df69dc0b6d1d80557e6cfffa64b6db3f0c1d4ec2d9b72a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.4.6.v20180619  Confidence:Highest

plexus-archiver-3.5.jar

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-archiver\3.5\plexus-archiver-3.5.jar
MD5: 7e0e46070568524b33bcfa9168f7973f
SHA1: b04f65ba3d8d3a2e25de14723dc4725b3525e396
SHA256:b903f61fdee8e62a21b1c14a14247aadceba44ebe5c59be7910687eb71e59a11
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:archiver_project:archiver:3.5  Confidence:Low  
  • maven: org.codehaus.plexus:plexus-archiver:3.5  Confidence:Highest

plexus-utils-3.0.24.jar

Description:

 A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.
  

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-utils\3.0.24\plexus-utils-3.0.24.jar
MD5: fbefd8983c6bb4928c27c680463ff355
SHA1: b4ac9780b37cb1b736eae9fbcef27609b7c911ef
SHA256:83ee748b12d06afb0ad4050a591132b3e8025fbb1990f1ed002e8b73293e69b4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-utils:3.0.24  Confidence:Highest

plexus-io-3.0.0.jar

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-io\3.0.0\plexus-io-3.0.0.jar
MD5: 9918a24023a63de64acb4695c3b6bfd7
SHA1: c1a315327d25865ae90aa6af977f027b35f49275
SHA256:5a49332ceb3a74e1551f792f56e375c9d3b10fe0b9b5b23d286d05bbbd44b44c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-io:3.0.0  Confidence:Highest

snappy-0.4.jar

Description:

 Port of Snappy to Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\iq80\snappy\snappy\0.4\snappy-0.4.jar
MD5: f0792d1dbe7f90d8b34c7c19961e0073
SHA1: a42b2d92a89efd35bb14738000dabcac6bd07a8d
SHA256:46a0c87d504ce9d6063e1ff6e4d20738feb49d8abf85b5071a7d18df4f11bac9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.iq80.snappy:snappy:0.4  Confidence:Highest

xz-1.6.jar

Description:

 XZ data compression

License:

Public Domain
File Path: C:\Users\Queue\.m2\repository\org\tukaani\xz\1.6\xz-1.6.jar
MD5: f1bd86b27cb86528aadc973dcd60f6ca
SHA1: 05b6f921f1810bdf90e25471968f741f87168b64
SHA256:a594643d73cc01928cf6ca5ce100e094ea9d73af760a5d4fb6b75fa673ecec96
Referenced In Project/Scope:DependencyCheck:runtime

Identifiers

  • cpe: cpe:/a:tukaani:xz:1.6  Confidence:Low  
  • maven: org.tukaani:xz:1.6  Confidence:Highest

CVE-2015-4035  

Severity:Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.

Vulnerable Software & Versions:

artemis-cli-1.3.0.jar: artemis-service.exe

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-cli\1.3.0\artemis-cli-1.3.0.jar\org\apache\activemq\artemis\cli\commands\bin\artemis-service.exe
MD5: f2e0f25d2c5cb9c1db26313ec55e4e7b
SHA1: 25167ad668140a05a651cd06ad1d50203bc020f7
SHA256:73d9e44d61e9b52fb22b684bc621d9bc247473b7625e3f2fc8a2d16cc0443d18
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

jolokia-war-1.3.3.war: jolokia-core-1.3.3.jar

Description:

 jar file containing servlet and helper classes

File Path: C:\Users\Queue\.m2\repository\org\jolokia\jolokia-war\1.3.3\jolokia-war-1.3.3.war\WEB-INF\lib\jolokia-core-1.3.3.jar
MD5: a74e178b7b8b111e804b4723ca7e4ee8
SHA1: 1259e53aab223899db38cda8d14cd8f337f6e945
SHA256:f52a8e36b35e70f0f55455157e1158790affb59e0858a73f908461607df3f5c5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jolokia:jolokia-core:1.3.3  Confidence:High
  • cpe: cpe:/a:jolokia:jolokia:1.3.3  Confidence:Low  

jolokia-war-1.3.3.war: json-simple-1.1.1.jar

Description:

 A simple Java toolkit for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jolokia\jolokia-war\1.3.3\jolokia-war-1.3.3.war\WEB-INF\lib\json-simple-1.1.1.jar
MD5: 5cc2c478d73e8454b4c369cee66c5bc7
SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1
SHA256:4e69696892b88b41c55d49ab2fdcc21eead92bf54acc588c0050596c3b75199c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.googlecode.json-simple:json-simple:1.1.1  Confidence:High

ehcache-core-2.6.11.jar: sizeof-agent.jar

File Path: C:\Users\Queue\.m2\repository\net\sf\ehcache\ehcache-core\2.6.11\ehcache-core-2.6.11.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.ehcache:sizeof-agent:1.0.1  Confidence:High

jansi-1.16.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF\native\windows32\jansi.dll
MD5: 11656f6f0800535dc79259a4299f9b36
SHA1: 53877c745604e1489fbd7671646f3b1d4e7e2316
SHA256:57e149395d70908f47206be96e03414631ab0036b8f1edb2ec29510e54512157
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jansi-1.16.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF\native\windows64\jansi.dll
MD5: d5beb4ff523696be6d23c34a0a78fbe6
SHA1: 558aea23a4ea0f6e6824b8cd4d2b0ecb9a154f37
SHA256:3d74c12f1984b220e46456398a3890750e6aa1cc2b4102f9f8a0c0c21338d72c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

wildfly-openssl-windows-i386-1.0.6.Final.jar: wfssl.dll

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-windows-i386\1.0.6.Final\wildfly-openssl-windows-i386-1.0.6.Final.jar\win-i686\wfssl.dll
MD5: f7f59b2ddc6205c9615f35355e9755b5
SHA1: a46016159ff790cfd3d0e45146061dc27eefb492
SHA256:52785b883beed5b0c0cd4f07f682f3c6daeb7002dd842d627c05d3175a3b692d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

wildfly-openssl-windows-x86_64-1.0.6.Final.jar: wfssl.dll

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-windows-x86_64\1.0.6.Final\wildfly-openssl-windows-x86_64-1.0.6.Final.jar\win-x86_64\wfssl.dll
MD5: f377287aaa2f050a253fda8ec1b3e8f0
SHA1: a41632556a50eff01387754edffcb1c017c19981
SHA256:472573400a788eb04afcf7b00f6145885c8a8072a1895d64eb457f49ede10247
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

snappy-java-1.1.4.jar: snappyjava.dll

File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.4\snappy-java-1.1.4.jar\org\xerial\snappy\native\Windows\x86\snappyjava.dll
MD5: 3a26e8509afd08f3683c330b1bf58c40
SHA1: 6adf193361c6d52faef973040b3eb8cc61911871
SHA256:f61b4eefdbea1639871e797c9eefb7598b09ac951cf3469ed8c1efa0b23909e6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

snappy-java-1.1.4.jar: snappyjava.dll

File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.4\snappy-java-1.1.4.jar\org\xerial\snappy\native\Windows\x86_64\snappyjava.dll
MD5: 29a6ce9e7d9bfab175e1ef40f4bfe217
SHA1: 2d8e611bbd4ae66cc65df13b8c20b8ca0e830fd3
SHA256:3f10fd4cc0f0a166a6055c491007ed28bb709ba87c9f883fd6131f877e601a22
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

jffi-1.2.7-native.jar: jffi-1.2.dll

File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.7\jffi-1.2.7-native.jar\jni\i386-Windows\jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
SHA256:d63b0ec9a7cc75c26fa951928bf550c0e9a5e6c195a3de94a9c24995206bbfd2
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jffi-1.2.7-native.jar: jffi-1.2.dll

File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.7\jffi-1.2.7-native.jar\jni\x86_64-Windows\jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
SHA256:58398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733ef
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jline-2.12.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar\META-INF\native\windows32\jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a
SHA256:0f59ff32a7c70e00a580d893de42ffaf48d0242b4d6251792666919b10ac3cd4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jline-2.12.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar\META-INF\native\windows64\jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb
SHA256:c33505a7c1fb847c03329a4f0e4b3c5cebac3a3604133d797d09172de25e3978
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

winp-1.22.jar: winp.dll

File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.22\winp-1.22.jar\winp.dll
MD5: 613c691c63742db6e67819a9bb7421a8
SHA1: 5f785b31ffacd4a0974e18467023addebff1c85f
SHA256:cdec19880243f571d13941acda031315b56868aefa1150cae7d8296bc0f3c8b4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

winp-1.22.jar: winp.x64.dll

File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.22\winp-1.22.jar\winp.x64.dll
MD5: 22d9ab310a3fa2d96b6e03a836a47724
SHA1: 7e4f96280ddd2fd0a5a3c7e7edfcdde2cc5d1bc1
SHA256:b10eab0d79e17f258ce9b1ada592b5ad3a278d61d1f5700cd55b69d257d3cac8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jenkins-core-2.19.jar: jenkins.exe

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\jenkins-core\2.19\jenkins-core-2.19.jar\windows-service\jenkins.exe
MD5: 7a387842adf551434ab4568b56c57757
SHA1: 849d826d562dcb0e6f609755329a8a7f9cbad06a
SHA256:052f82c167fbe68a4025bcebc19fff5f11b43576a2ec62b0415432832fa2272d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:cloudbees:jenkins:1.1.0.0  Confidence:Low  
  • cpe: cpe:/a:jenkins:jenkins:1.1.0.0  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-0324  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0325.

Vulnerable Software & Versions: (show all)

CVE-2012-0325  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0324.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-2033  

Severity:Low
CVSS Score: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-2034  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary code or (2) initiate deployment of binaries to a Maven repository via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
SHA256:361e173e6e50cb1bf8b7fab38c1ff99686ea819e58ee30348e7756cb0418a9f6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: d2f0da769204b8c45c207d8f3d8fc37e
SHA1: c6870c1b8be2dbf1d737c918963d2f183aa778e1
SHA256:064c34c9f92f6aca636b5b53006b539853268570f048f33155c6a6635d6c0e7b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: b04c620540a971e93390ba9ec7cc8641
SHA1: cb612a48eff7c60c40a6bb64b78fb47d5709f5e7
SHA256:1b2af8b31416f68051db213bcdcf82775e29191b6d069c327988e02e654030ad
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.websocket:websocket-api:9.2.11.v20150529)

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.2.11.v20150529\jetty-all-9.2.11.v20150529.jar\META-INF/maven/org.eclipse.jetty.websocket/websocket-api/pom.xml
MD5: b5bf99495e883a2f0af751ab063930e6
SHA1: 6bc18162b8feef2ba77529465674c679436ee628
SHA256:6468cecf0002e3bee93a71f5047e63ca69cd53bf2be330135536996dd434d3ac
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.2.11.v20150529  Confidence:High

jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.spdy:spdy-core:9.2.11.v20150529)

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.2.11.v20150529\jetty-all-9.2.11.v20150529.jar\META-INF/maven/org.eclipse.jetty.spdy/spdy-core/pom.xml
MD5: 29de57062331afa01e56712f25426440
SHA1: 7ffacd1fe0dc339a2225070cdd8a7db4a2af1e36
SHA256:82effdce709064f10991d2734f213fb320a3979591b445656ebe875cb665e969
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty.spdy:spdy-core:9.2.11.v20150529  Confidence:High
  • cpe: cpe:/a:jetty:jetty:9.2.11.v20150529  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.11.v20150529  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty.spdy:spdy-http-server:9.2.11.v20150529)

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.2.11.v20150529\jetty-all-9.2.11.v20150529.jar\META-INF/maven/org.eclipse.jetty.spdy/spdy-http-server/pom.xml
MD5: 300bf7bbbc03d86817eb7ae39feb4464
SHA1: d37d6fbfe2516278e158f097d8f1c60fb279c069
SHA256:5257dde44b6d2df0c8f998ddac6bfbca41165b297c7460fc6c00e8b15ee776cb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty.spdy:spdy-http-server:9.2.11.v20150529  Confidence:High
  • cpe: cpe:/a:jetty:jetty_http_server:9.2.11.v20150529  Confidence:Low  

jetty-all-9.2.11.v20150529.jar (shaded: org.eclipse.jetty:jetty-io:9.2.11.v20150529)

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.2.11.v20150529\jetty-all-9.2.11.v20150529.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 80987156192e571069d08f5fc8230051
SHA1: 588efa4b7b6aad4baa5c57c4d449227c2e6244f2
SHA256:29ebff1ecfef6a6659508d2f048693a9434a00ee940c0fd0a007a271c99261f9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.2.11.v20150529  Confidence:High

aesh-readline-1.7.jar (shaded: org.aesh:aesh-terminal-api:1.7)

Description:

 Æsh (Another Extendable SHell) Terminal API

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-readline\1.7\aesh-readline-1.7.jar\META-INF/maven/org.aesh/aesh-terminal-api/pom.xml
MD5: bd884301d277191a453d4c44487314f4
SHA1: 53ae2780063b62cb676869f59420f37221e2f784
SHA256:ea83bba0d6f61b0975d31c51af0486365094795c77cdfd70373a15dde00c99cf
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-terminal-api:1.7  Confidence:High

jansi-1.16.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.15)

Description:

 The API that projects using HawtJNI should build against.

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml
MD5: 647b1d17fea9ada902c6957c217fb028
SHA1: bdc2747022fe40d618c15d2cd8e54b216bd816a2
SHA256:d296eb284ed73aa8c8ad1deb09ada9961095a54e561fa0ae9b924baea6f81165
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.hawtjni:hawtjni-runtime:1.15  Confidence:High

jansi-1.16.jar (shaded: org.fusesource.jansi:jansi-${platform}:1.7)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.jansi/jansi-freebsd32/pom.xml
MD5: 313016fe540f2f7c61d5a12aec5d8f6e
SHA1: b5b391dae1f179a9c5fe0ee9f0fb8274d1c9f6f7
SHA256:2c7590e205ef70284e27e07771d6dc496a6755413b960b66a4b6f9800cd33e97
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.jansi:jansi-${platform}:1.7  Confidence:High
  • cpe: cpe:/a:id:id-software:1.7  Confidence:Low  

jansi-1.16.jar (shaded: org.fusesource.jansi:jansi:1.16)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.jansi/jansi/pom.xml
MD5: 22e8c23b0f2222d48e258bfbebeeee46
SHA1: ea66f725a6ee07c48cb093b00e842c3eefac48f6
SHA256:709d5dcc080e5e3788ff1b209bd97d9c4a6f0b80418e3d3b724f3e7e2449620c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:id:id-software:1.16  Confidence:Low  
  • maven: org.fusesource.jansi:jansi:1.16  Confidence:High

wildfly-elytron-tool-1.2.2.Final.jar (shaded: commons-cli:commons-cli:1.3.1)

Description:

 
    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\wildfly-elytron-tool\1.2.2.Final\wildfly-elytron-tool-1.2.2.Final.jar\META-INF/maven/commons-cli/commons-cli/pom.xml
MD5: 16849669639d4745fe0890e15856c996
SHA1: 7cfa08c046e048faf18b68b26742d3185d49fa94
SHA256:6672fad281b89974560a13e63b01a067418e7b72b2345579d6134ca0e1a3b032
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-cli:commons-cli:1.3.1  Confidence:High

jaxb-core-2.2.11.jar (shaded: com.sun.istack:istack-commons-runtime:2.21)

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.2.11\jaxb-core-2.2.11.jar\META-INF/maven/com.sun.istack/istack-commons-runtime/pom.xml
MD5: caebf95d1d57fc0321b36137e246e192
SHA1: 04c234cf684a202c5c9bb7f0a198ba97e958f8f4
SHA256:ebe7137b5fbfd050545f9a7f3f339ae55beb0b53755071b4fd62aa024c626d1c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.istack:istack-commons-runtime:2.21  Confidence:High

jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-core:2.2.11)

Description:

 JAXB Core module. Contains sources required by XJC, JXC and Runtime modules.

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.2.11\jaxb-core-2.2.11.jar\META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.xml
MD5: e43898fed87ecb9838381436b212416c
SHA1: f3208abdc61be827cf28838c3881213648807821
SHA256:ec31409f203bcabf99534f59231ec0576d875d4d4b7349b09566a7a8c8179b24
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:jaxb-core:2.2.11  Confidence:High

jaxb-core-2.2.11.jar (shaded: org.glassfish.jaxb:txw2:2.2.11)

Description:

 
        TXW is a library that allows you to write XML documents.
    

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.2.11\jaxb-core-2.2.11.jar\META-INF/maven/org.glassfish.jaxb/txw2/pom.xml
MD5: 83d24d59202baf2810daa01739963822
SHA1: 4be03527dbf2428f7ea99fb9c2f50f089dffad5e
SHA256:8514cb724b4fca59a5cf272b632e539bd0a0f3cacf1844082d0a173a86406bd8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:txw2:2.2.11  Confidence:High

jaxb-impl-2.2.11.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.2.11)

Description:

 JAXB (JSR 222) Reference Implementation

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-impl\2.2.11\jaxb-impl-2.2.11.jar\META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xml
MD5: fa2e4dc2609e6a4d96418f4ac6519e8d
SHA1: 6a1651361e4c2392aff30da0df648187f670f8cb
SHA256:e5327b31b595ab8143e97836d5ccdf85feb91e7ff5666f7b26913632facca4aa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:jaxb-runtime:2.2.11  Confidence:High

camel-core-2.19.3.jar (shaded: org.apache.camel:spi-annotations:2.19.3)

Description:

 Annotations for Camel Endpoint developers

File Path: C:\Users\Queue\.m2\repository\org\apache\camel\camel-core\2.19.3\camel-core-2.19.3.jar\META-INF/maven/org.apache.camel/spi-annotations/pom.xml
MD5: 5664fd189008d580cdcf97aeaa27e83a
SHA1: ff7521a8b8bfaeb576395828830ceb56c4320949
SHA256:9814e90cc718580c1c483b0fd6627788b8924def967ebe89c599c86fd4b9d092
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.camel:spi-annotations:2.19.3  Confidence:High
  • cpe: cpe:/a:apache:camel:2.19.3  Confidence:Low  

htrace-core4-4.0.1-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)

Description:

 Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.0.1-incubating\htrace-core4-4.0.1-incubating.jar\META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976d812430b8246deeaf2ea54610f263
SHA1: 76672afb562b9e903674ad3a544cdf2092f1faa3
SHA256:d0f2e16d054e8bb97add9ca26525eb2346f692809fcd2a28787da8ceb3c35ee8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-logging:commons-logging:1.1.1  Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.